Vulnerability Details CVE-2021-34685
UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.02
EPSS Ranking 82.7%
CVSS Severity
CVSS v3 Score 2.7
CVSS v2 Score 6.5
References
- http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html
- https://www.hitachi.com/hirt/security/index.html
- http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html
- https://www.hitachi.com/hirt/security/index.html
Products affected by CVE-2021-34685
-
cpe:2.3:a:hitachi:vantara_pentaho:-
-
cpe:2.3:a:hitachi:vantara_pentaho:7.0.0
-
cpe:2.3:a:hitachi:vantara_pentaho:7.1.0.25
-
cpe:2.3:a:hitachi:vantara_pentaho:8.0.0
-
cpe:2.3:a:hitachi:vantara_pentaho:8.2.0.6
-
cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.0
-
cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.25
-
cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.9
-
cpe:2.3:a:hitachi:vantara_pentaho:9.0.0
-
cpe:2.3:a:hitachi:vantara_pentaho:9.0.0.1
-
cpe:2.3:a:hitachi:vantara_pentaho:9.1.0.0