CVE-2021-45448 : Security Advisory and Response
Learn about CVE-2021-45448, a critical vulnerability in Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 that allows unauthorized access to resources outside the restricted directory.
A vulnerability in the Pentaho Business Analytics Server allows attackers to access files or directories outside of the restricted location.
Understanding CVE-2021-45448
What is CVE-2021-45448?
Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin have a path traversal vulnerability that enables unauthorized access to out-of-bound resources.
The Impact of CVE-2021-45448
Many file operations meant to occur within a limited directory can be circumvented, granting attackers access to system files or directories.
Technical Details of CVE-2021-45448
Vulnerability Description
The flaw in the Pentaho Analyzer plugin allows crafted paths to access resources beyond the intended directory.
Affected Systems and Versions
- Product: Pentaho Business Analytics Server
- Vendor: Hitachi Vantara
- Vulnerable Versions:
- 9.2 (up to 9.2.0.2)
- 1.0 (up to 8.3.0.25)
- Module: Pentaho Analyzer plugin
Exploitation Mechanism
- Attack Complexity: Low
- Attack Vector: Network
- Privileges Required: Low
- CVSS Base Score: 7.1 (High)
- CWE-22: Improper Limitation of Path Traversal
Mitigation and Prevention
Immediate Steps to Take
- Uninstall the Pentaho Analyzer plugin
- Upgrade to Hitachi Vantara Pentaho version 9.3
Long-Term Security Practices
- Regularly update to Service Packs 9.2.0.2/8.3.0.25 or later
Patching and Updates
- Official solution: Upgrade to the latest Hitachi Vantara Pentaho version and apply recommended Service Packs