CVE-2024-37362

Summary

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)

 

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.

 

Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation.

Affected Software

VendorProductVersion RangeStatus
Hitachi VantaraPentaho Data Integration & Analytics10.0 < 10.2.0.0affected
Hitachi VantaraPentaho Business Analytics Server1.0 < 9.3.0.8affected

Weaknesses

  • CWE-522: CWE-522 Insufficiently Protected Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References