CVE-2015-6940

Name of the Vulnerable Software and Affected Versions Pentaho Business Analytics (BA) Suite versions 4.5.x through 5.2.x Pentaho Data Integration (PDI) Suite versions 4.3.x through 5.2.x

Description The issue concerns the GetResource servlet, which fails to restrict access to files in the pentaho-solutions/system folder. This allows remote attackers to obtain sensitive information, including passwords, by specifying a file name in the resource parameter.

Recommendations For Pentaho Business Analytics (BA) Suite versions 4.5.x through 5.2.x, restrict access to the GetResource servlet to prevent unauthorized file access. For Pentaho Data Integration (PDI) Suite versions 4.3.x through 5.2.x, limit access to the GetResource servlet to minimize the risk of sensitive information disclosure. As a temporary workaround, consider restricting access to the pentaho-solutions/system folder until a patch is available.