Vulnerability Details CVE-2021-45448
Pentaho Business Analytics
Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho
Analyzer plugin exposes a service endpoint for templates which allows a
user-supplied path to access resources that are out of bounds.
The software uses external input to construct a pathname that is intended to identify a file or
directory that is located underneath a restricted parent directory, but the software does not
properly neutralize special elements within the pathname that can cause the pathname to
resolve to a location that is outside of the restricted directory. By using special elements such as
".." and "/" separators, attackers can escape outside of the restricted
location to access files or directories that are elsewhere on the
system.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 54.7%
CVSS Severity
CVSS v3 Score 7.1
References
Products affected by CVE-2021-45448
-
cpe:2.3:a:hitachi:vantara_pentaho:*
-
cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.0
-
cpe:2.3:a:hitachi:vantara_pentaho:8.3.0.9