CVE-2025-0758

Summary

Overview 

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732) 

Description 

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default. 

Impact 

When the vulnerability is leveraged, a user with local execution privileges can access functionality exposed by Karaf beans contained in the product.

Affected Software

VendorProductVersion RangeStatus
Hitachi VantaraPentaho Business Analytics Server1.0 <= 9.3.*affected
Hitachi VantaraPentaho Business Analytics Server10.0 < 10.2.0.2affected

Weaknesses

  • CWE-732: CWE-732 Incorrect Permission Assignment for Critical Resource

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References