AI description
CVE-2024-37361 is a vulnerability in Hitachi Vantara's Pentaho Business Analytics Server. The core issue lies in how the server handles deserialization of untrusted JSON data. Specifically, it fails to properly validate this data during the deserialization process. This oversight allows attackers to potentially exploit the system. Exploitation is possible through the use of "gadget chains." These are sequences of object instantiations and method calls that automatically execute during deserialization. This vulnerability affects Pentaho Business Analytics Server versions prior to 10.2 and 9.3.0.9, also impacting version 8.3. Hitachi Vantara recommends upgrading to these versions or later to mitigate the vulnerability. As an additional measure, they suggest removing the Pentaho Interactive Reporting plugin.
- Description
- The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods. When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions.
- Source
- security.vulnerabilities@hitachivantara.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 9.9
- Impact score
- 6
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- security.vulnerabilities@hitachivantara.com
- CWE-502
- Hype score
- Not currently trending
Critical vulnerability CVE-2024-37361 in Hitachi Vantara's Pentaho Business Analytics Server (CVSS 9.9) allows for arbitrary code execution through untrusted JSON. Upgrade or mitigate now! 🛡️🔒 #Hitachi #Pentaho #DataSecurity link: https://t.co/ZpjqADMAIZ https://t.co/0Bq2bWZRs
@TweetThreatNews
24 Feb 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical vulnerability, CVE-2024-37361 (CVSS 9.9), affects Pentaho Business Analytics Server, posing severe risks (https://t.co/EgPNYxvUaQ). Users are urged to verify patch status immediately. #cybersecurity
@adriananglin
24 Feb 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-37361 (CVSS 9.9): Critical Vulnerability in Pentaho Business Analytics Server https://t.co/ekwHM9gM4F
@Dinosn
23 Feb 2025
2326 Impressions
4 Retweets
8 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2024-37361 (CVSS 9.9): Critical Vulnerability in Pentaho Business Analytics Server Discover CVE-2024-37361, a critical vulnerability in Hitachi Vantara Pentaho. Learn its risks and how to secure your server. https://t.co/FB8KsKevmw
@the_yellow_fall
23 Feb 2025
538 Impressions
3 Retweets
10 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2024-37361 ⚠️🔴 CRITICAL (9.9) 🏢 Hitachi Vantara - Pentaho Data Integration & Analytics 🏗️ 10.0 🔗 https://t.co/C8QkJF0y3o #CyberCron #VulnAlert https://t.co/Rx8Tq3vRYG
@cybercronai
21 Feb 2025
177 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
1 Quote
[CVE-2024-37361: CRITICAL] Deserialization flaws in Hitachi Vantara Pentaho Business Analytics Server could allow attackers to perform unauthorized actions by exploiting untrusted JSON data. Fix recommended.#cybersecurity,#vulnerability https://t.co/n2WFRLyCke https://t.co/U0GNc7
@CveFindCom
20 Feb 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-37361 The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara Pentaho Business A… https://t.co/rvrBubFXIa
@CVEnew
19 Feb 2025
517 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes