HIGH🇵🇱 Wersja polska

CVE-2021-45448

CVSS 7.1v3.1pub. 2022-11-02upd. 2024-11-21

Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds.  The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.  By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
  • Hitachi Vantara Pentaho

    APP
    Hitachi
    8.3.0.0 – 8.3.0.25 (bez)9.2.0.0 – 9.2.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2021-34684CRITICAL9.8ten sam produkt

Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL...

CVE-2022-4815HIGH8.0ten sam produkt

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deseri...

CVE-2021-45447HIGH7.7ten sam produkt

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Dat...

CVE-2021-31601HIGH7.1ten sam produkt

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server throug...

CVE-2021-31599HIGH8.8ten sam produkt

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server throug...