cbcvebase.
CVE-2021-45448
published 2022-11-02

CVE-2021-45448: Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows…

PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.55%
41.9th percentile
Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system.

Affected

4 ranges
VendorProductVersion rangeFixed in
hitachivantara_pentaho>= 8.3.0.0 < 8.3.0.258.3.0.25
hitachivantara_pentaho>= 9.2.0.0 < 9.2.0.29.2.0.2
hitachi_vantarapentaho_business_analytics_server>= 1.0 < 8.3.0.258.3.0.25
hitachi_vantarapentaho_business_analytics_server>= 9.2 < 9.2.0.29.2.0.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.