Details of VAR-202305-2206

ID

VAR-202305-2206

CVE

CVE-2023-1158

TITLE

Hitachi Vantara's Vantara Pentaho and Pentaho Business Analytics Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2023-022742

DESCRIPTION

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. Hitachi Vantara's Vantara Pentaho and Pentaho Business Analytics Exists in a fraudulent authentication vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2023-1158 // JVNDB: JVNDB-2023-022742 // VULMON: CVE-2023-1158

AFFECTED PRODUCTS

vendor:	hitachi	model:	vantara pentaho business analytics server	scope:	gte	version:	9.3.0.0	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho business analytics server	scope:	eq	version:	9.4.0.0	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho	scope:	lte	version:	8.3.0.25	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho business analytics server	scope:	lte	version:	9.3.0.3	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho	scope:	gte	version:	8.3.0.0	Trust: 1.0
vendor:	日立ヴァンタラ	model:	vantara pentaho	scope:	eq	version:	8.3.0.0 to 8.3.0.25	Trust: 0.8
vendor:	日立ヴァンタラ	model:	pentaho business analytics	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-022742 // NVD: CVE-2023-1158

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-1158
value:	MEDIUM
Trust: 1.0
security.vulnerabilities@hitachivantara.com:	CVE-2023-1158
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-1158
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202305-2171
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-1158
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 2.0
NVD:	CVE-2023-1158
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-022742 // CNNVD: CNNVD-202305-2171 // NVD: CVE-2023-1158 // NVD: CVE-2023-1158

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.0
problemtype:	Illegal authentication (CWE-863) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-022742 // NVD: CVE-2023-1158

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202305-2171

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202305-2171

PATCH

title:	(Resolved) Pentaho BA Server - Incorrect Authorization - Versions before 9.4.0.1 and 9.3.0.3, including 8.3.x Impacted (CVE-2023-1158)	url:	https://support.pentaho.com/hc/en-us/articles/14456024873741-IMPORTANT-Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2023-1158-	Trust: 0.8
title:	Hitachi Vantara Pentaho Business Analytics Server Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=240066	Trust: 0.6

sources: JVNDB: JVNDB-2023-022742 // CNNVD: CNNVD-202305-2171

EXTERNAL IDS

db:	NVD	id:	CVE-2023-1158	Trust: 3.3
db:	JVNDB	id:	JVNDB-2023-022742	Trust: 0.8
db:	CNNVD	id:	CNNVD-202305-2171	Trust: 0.6
db:	VULMON	id:	CVE-2023-1158	Trust: 0.1

sources: VULMON: CVE-2023-1158 // JVNDB: JVNDB-2023-022742 // CNNVD: CNNVD-202305-2171 // NVD: CVE-2023-1158

REFERENCES

url:	https://support.pentaho.com/hc/en-us/articles/14456024873741-important-resolved-pentaho-ba-server-incorrect-authorization-versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-impacted-cve-2023-1158-	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2023-1158	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-1158/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-1158 // JVNDB: JVNDB-2023-022742 // CNNVD: CNNVD-202305-2171 // NVD: CVE-2023-1158

SOURCES

db:	VULMON	id:	CVE-2023-1158
db:	JVNDB	id:	JVNDB-2023-022742
db:	CNNVD	id:	CNNVD-202305-2171
db:	NVD	id:	CVE-2023-1158

LAST UPDATE DATE

2024-08-14T13:41:47.758000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-1158	date:	2023-05-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-022742	date:	2024-01-24T04:31:00
db:	CNNVD	id:	CNNVD-202305-2171	date:	2023-06-02T00:00:00
db:	NVD	id:	CVE-2023-1158	date:	2023-06-01T16:05:50.803

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-1158	date:	2023-05-24T00:00:00
db:	JVNDB	id:	JVNDB-2023-022742	date:	2024-01-24T00:00:00
db:	CNNVD	id:	CNNVD-202305-2171	date:	2023-05-24T00:00:00
db:	NVD	id:	CVE-2023-1158	date:	2023-05-24T22:15:09.123