CVE-2024-5706
Published: 19 February 2025
Summary
CVE-2024-5706 is a high-severity Resource Injection (CWE-99) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates input validation to reject or filter invalid JNDI identifiers before use, directly preventing resource injection attacks that control unauthorized system-level data sources.
AC-3 enforces approved access authorizations for resources, mitigating unrestricted use of upstream inputs as identifiers for data sources outside the intended sphere of control.
SI-2 requires timely remediation of the specific flaw in Pentaho versions before 10.2.0.0 and 9.3.0.9, patching the failure to restrict JNDI identifiers during Community Dashboard creation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
JNDI resource injection in public-facing Pentaho web app enables remote exploitation (T1190) by low-priv users to achieve RCE and full impacts (T1068).
NVD Description
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) Hitachi Vantara…
more
Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources. An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.
Deeper analysisAI
CVE-2024-5706 is a resource injection vulnerability (CWE-99) in Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including the 8.3.x series. The issue arises because the software receives input from an upstream component without properly restricting it before using it as an identifier for resources outside its intended control. Specifically, it fails to restrict JNDI identifiers during the creation of Community Dashboards, enabling attackers to control system-level data sources.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality, integrity, and availability impacts (CVSS 8.8). This allows unauthorized access to or modification of sensitive data and system resources, including protected files and directories such as configuration files containing sensitive information, potentially leading to remote code execution.
The official advisory from Hitachi Vantara Pentaho support indicates that the vulnerability has been resolved in versions 10.2.0.0 and 9.3.0.9. Security practitioners should apply these patches to mitigate the risk, as affected versions remain vulnerable to exploitation by low-privileged users.
Details
- CWE(s)