CVE-2021-45448 HIGH

CVE-2021-45448: Pentaho Business Analytics Server - Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user supplied path to access resources that are out of bounds.

Vendor Hitachi Vantara
Product Pentaho Business Analytics Server
Weakness CWE-22 · Path traversal
Published November 2, 2022
Last update May 2, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds.  The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.  By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system.

Key dates

02Disclosure timeline

November 2, 2022 CVE published
May 2, 2025 Record updated