Cyber Resilience

CVE-2024-5705

High

Published: 19 February 2025

Published
19 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5705 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Pentaho Business Analytics Server (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

CVE-2024-5705 is an incorrect authorization vulnerability (CWE-863) affecting Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including the 8.3.x series. The issue stems from flawed authorization checks that fail to properly restrict access to resources or actions, allowing attackers to bypass intended controls. Additionally, modules are enabled by default in these versions that permit execution of system-level processes, exacerbating the risk. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

Low-privileged remote users (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction required. Successful exploitation enables attackers to access unauthorized data, perform restricted actions, and execute system-level processes, potentially leading to information disclosure, arbitrary code execution, denial of service, and other impacts across confidentiality, integrity, and availability.

The official Pentaho support advisory confirms the issue as resolved in versions 10.2.0.0 and 9.3.0.9, recommending upgrades to these patched releases for mitigation. Administrators should verify module configurations to disable unnecessary system process execution capabilities where possible.

EU & UK References

Vulnerability details

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business Analytics…

more

Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Auth bypass in public-facing analytics server enables unauthorized access and system process execution (RCE).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41303Shared CWE-863
CVE-2026-28473Shared CWE-863
CVE-2026-42434Shared CWE-863
CVE-2025-21565Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-44260Shared CWE-863
CVE-2024-13277Shared CWE-863
CVE-2025-30743Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2025-0781Shared CWE-863

Affected Assets

Pentaho
Business Analytics Server
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to resources, directly countering the flawed authorization checks that enable bypass in CVE-2024-5705.

prevent

CM-7 requires configuring systems to provide only essential capabilities, mitigating default-enabled modules that allow unauthorized system-level process execution.

prevent

AC-6 enforces least privilege to restrict the scope of actions low-privileged users can perform even if authorization checks are bypassed.

References