CVE-2025-24907 MEDIUM

CVE-2025-24907: Hitachi Vantara Pentaho Data Integration & Analytics – Path Traversal

Vendor Hitachi Vantara
Product Pentaho Data Integration & Analytics
Weakness CWE-35
Published April 16, 2025
Last update April 17, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Overview   The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)   Description   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the CGG Draw API.   Impact   This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Key dates

02Disclosure timeline

April 16, 2025 CVE published
April 17, 2025 Record updated