Overview 

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220)

 

Products Affected 

Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x

 

Description 

Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content

 

Impact 

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.

 

Action  

We recommend you upgrade to the latest Hitachi Vantara Pentaho version 10.2 release. For version 9.3 we recommend updating to Service Packs 9.3.0.9 or above where this vulnerability is addressed.

Please review the Pentaho End-of-Life policy to ensure you are up to date.

 

---