Platform
java
Component
pentaho-business-analytics-server
Fixed in
10.2.0.0
9.3.0.9
CVE-2024-37359 describes a Host Header Injection vulnerability in Hitachi Vantara Pentaho Business Analytics Server. This flaw allows attackers to manipulate the Host header in HTTP/HTTPS requests, potentially bypassing security controls like firewalls. The vulnerability impacts versions 1.0 through 9.3.0.8, and a fix is available in version 9.3.0.9.
An attacker can exploit this vulnerability by crafting malicious HTTP/HTTPS requests with manipulated Host headers. This allows them to trick the server into believing the request originates from a trusted source, effectively bypassing access controls and potentially gaining unauthorized access to sensitive data or functionality. The attacker could redirect requests to unintended destinations, potentially exfiltrating data or launching further attacks. This bypass could allow attackers to access internal resources normally protected by network segmentation or firewalls, significantly expanding the blast radius of a successful attack.
This vulnerability was publicly disclosed on 2025-02-19. There are currently no known public exploits or active campaigns targeting this specific vulnerability, but the ease of exploitation and potential impact warrant careful attention. The vulnerability's nature, allowing Host header manipulation, shares similarities with other bypass techniques and could be incorporated into broader attack strategies. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37359 is to upgrade Pentaho Business Analytics Server to version 9.3.0.9 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter incoming requests and validate the Host header. Configure the WAF to reject requests with unexpected or malicious Host headers. Additionally, review and strengthen network segmentation to limit the potential impact of a successful exploitation. Carefully examine the server's configuration to ensure that it is not inadvertently allowing requests from untrusted sources.
Update Hitachi Vantara Pentaho Business Analytics Server to version 10.2.0.0 or 9.3.0.9, or a later version. This corrects the Server Side Request Forgery (SSRF) vulnerability by properly validating the Host header of incoming HTTP/HTTPS requests.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37359 is a HIGH severity vulnerability allowing attackers to manipulate the Host header, potentially bypassing access controls in Pentaho Business Analytics Server versions 1.0–9.3.0.8.
If you are running Pentaho Business Analytics Server versions 1.0 through 9.3.0.8, you are potentially affected by this vulnerability. Upgrade to 9.3.0.9 or later to mitigate the risk.
The recommended fix is to upgrade to Pentaho Business Analytics Server version 9.3.0.9 or later. As a temporary workaround, implement a WAF to filter malicious Host header requests.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the Hitachi Vantara security advisory for detailed information and updates regarding CVE-2024-37359.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.