CVE-2024-5705
Published: 19 February 2025
Summary
CVE-2024-5705 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Pentaho Business Analytics Server (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly countering the flawed authorization checks that enable bypass in CVE-2024-5705.
CM-7 requires configuring systems to provide only essential capabilities, mitigating default-enabled modules that allow unauthorized system-level process execution.
AC-6 enforces least privilege to restrict the scope of actions low-privileged users can perform even if authorization checks are bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing analytics server enables unauthorized access and system process execution (RCE).
NVD Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business Analytics…
more
Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.
Deeper analysisAI
CVE-2024-5705 is an incorrect authorization vulnerability (CWE-863) affecting Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including the 8.3.x series. The issue stems from flawed authorization checks that fail to properly restrict access to resources or actions, allowing attackers to bypass intended controls. Additionally, modules are enabled by default in these versions that permit execution of system-level processes, exacerbating the risk. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
Low-privileged remote users (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction required. Successful exploitation enables attackers to access unauthorized data, perform restricted actions, and execute system-level processes, potentially leading to information disclosure, arbitrary code execution, denial of service, and other impacts across confidentiality, integrity, and availability.
The official Pentaho support advisory confirms the issue as resolved in versions 10.2.0.0 and 9.3.0.9, recommending upgrades to these patched releases for mitigation. Administrators should verify module configurations to disable unnecessary system process execution capabilities where possible.
Details
- CWE(s)