Common Weakness Enumeration

CWE-99

Allowed-with-Review

Improper Control of Resource Identifiers ('Resource Injection')

Abstraction: Class · Status: Draft

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

112 vulnerabilities reference this CWE, most recent first.

GHSA-3W8Q-3783-R4V7

Vulnerability from github – Published: 2025-08-10 06:30 – Updated: 2025-08-10 06:30
VLAI
Details

A vulnerability classified as problematic was found in LitmusChaos Litmus up to 3.19.0. Affected by this vulnerability is an unknown functionality. The manipulation of the argument projectID leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-10T04:15:43Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in LitmusChaos Litmus up to 3.19.0. Affected by this vulnerability is an unknown functionality. The manipulation of the argument projectID leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-3w8q-3783-r4v7",
  "modified": "2025-08-10T06:30:27Z",
  "published": "2025-08-10T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MaiqueSilva/VulnDB/blob/main/readme03.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.319321"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.319321"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.625956"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4R4M-V89P-5C69

Vulnerability from github – Published: 2024-08-03 18:30 – Updated: 2024-08-03 18:30
VLAI
Details

A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273523. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-03T16:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273523. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-4r4m-v89p-5c69",
  "modified": "2024-08-03T18:30:33Z",
  "published": "2024-08-03T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7438"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fewword/Poc/blob/main/smf/smf-poc2.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.273523"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.273523"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.380190"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4WJP-4MM4-3WRH

Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2025-01-13 21:30
VLAI
Details

A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-12T13:38:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.",
  "id": "GHSA-4wjp-4mm4-3wrh",
  "modified": "2025-01-13T21:30:47Z",
  "published": "2024-08-12T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7658"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectsend/projectsend/commit/eb5a04774927e5855b9d0e5870a2aae5a3dc5a08"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectsend/projectsend/releases/tag/r1720"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.274115"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.274115"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.385000"
    },
    {
      "type": "WEB",
      "url": "https://www.kiyell.com/private-files-from-projectsend-idor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5M9G-M2VJ-47R4

Vulnerability from github – Published: 2024-01-30 15:30 – Updated: 2024-01-30 15:30
VLAI
Details

A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is "max page sharing=256", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's "max page share". Through these operations, the attacker can leak the victim's page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-30T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Linux kernel\u0027s memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim\u0027s page. The unmapping time depends on whether it merges with the victim\u0027s page and additional physical pages are created beyond the KSM\u0027s \"max page share\". Through these operations, the attacker can leak the victim\u0027s page.",
  "id": "GHSA-5m9g-m2vj-47r4",
  "modified": "2024-01-30T15:30:22Z",
  "published": "2024-01-30T15:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-0564"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514"
    },
    {
      "type": "WEB",
      "url": "https://link.springer.com/conference/wisa"
    },
    {
      "type": "WEB",
      "url": "https://wisa.or.kr/accepted"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W65-7GFR-VXJF

Vulnerability from github – Published: 2023-12-13 00:30 – Updated: 2023-12-13 00:30
VLAI
Details

Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "\nHitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 9.5.0.1 and 9.3.0.5, including \n8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.\n\n",
  "id": "GHSA-5w65-7gfr-vxjf",
  "modified": "2023-12-13T00:30:37Z",
  "published": "2023-12-13T00:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3517"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/19668665099533"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HG2-95WW-WHJ9

Vulnerability from github – Published: 2025-04-17 00:30 – Updated: 2025-04-17 00:30
VLAI
Details

Overview

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.

Impact

An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T23:15:44Z",
    "severity": "CRITICAL"
  },
  "details": "Overview \n\n\n\n\u00a0\n\n\n\nThe product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) \n\n\n\n\u00a0\n\n\n\nDescription \n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources. \n\n\n\n\u00a0\n\n\n\nImpact \n\n\n\n\u00a0\n\n\n\nAn attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.",
  "id": "GHSA-6hg2-95ww-whj9",
  "modified": "2025-04-17T00:30:25Z",
  "published": "2025-04-17T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0756"
    },
    {
      "type": "WEB",
      "url": "https://https://support.pentaho.com/hc/en-us/articles/35771876077709--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-0756"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R4H-F9RF-FRM2

Vulnerability from github – Published: 2025-01-06 18:31 – Updated: 2025-11-03 21:32
VLAI
Details

A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T17:15:14Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in FFmpeg\u0027s DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.",
  "id": "GHSA-6r4h-f9rf-frm2",
  "modified": "2025-11-03T21:32:03Z",
  "published": "2025-01-06T18:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6605"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334336"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00004.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RQ7-M52P-8PQG

Vulnerability from github – Published: 2025-08-21 00:30 – Updated: 2026-05-07 05:16
VLAI
Summary
xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key
Details

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.xuxueli:xxl-job-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-99"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T05:16:09Z",
    "nvd_published_at": "2025-08-20T23:15:30Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-6rq7-m52p-8pqg",
  "modified": "2026-05-07T05:16:09Z",
  "published": "2025-08-21T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/issues/3772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/issues/3772#issue-3308329205"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xuxueli/xxl-job"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.320805"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.320805"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.631704"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key"
}

GHSA-88JG-87GJ-M92C

Vulnerability from github – Published: 2026-03-29 06:31 – Updated: 2026-03-29 06:31
VLAI
Details

A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-29T05:15:55Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-88jg-87gj-m92c",
  "modified": "2026-03-29T06:31:20Z",
  "published": "2026-03-29T06:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/4m3rr0r/PoCVulDb/issues/15"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/778530"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/353953"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/353953/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-977C-3XVH-WWGH

Vulnerability from github – Published: 2025-02-20 00:32 – Updated: 2025-02-20 00:32
VLAI
Details

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) 

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources. 

An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-99"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-19T23:15:10Z",
    "severity": "HIGH"
  },
  "details": "The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)\u00a0\n\n\n\n\n\n\nHitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources.\u00a0\n\n\n\n\n\n\n\nAn attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.",
  "id": "GHSA-977c-3xvh-wwgh",
  "modified": "2025-02-20T00:32:04Z",
  "published": "2025-02-20T00:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5706"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/34296195570189--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-5706"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, it can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-10: Buffer Overflow via Environment Variables

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

CAPEC-240: Resource Injection

An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.

CAPEC-75: Manipulating Writeable Configuration Files

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.