PT-2015-7416 · Pentaho · Pentaho Business Analytics Suite+1
Published
2015-09-22
·
Updated
2018-10-09
·
CVE-2015-6940
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Pentaho Business Analytics (BA) Suite versions 4.5.x through 5.2.x
Pentaho Data Integration (PDI) Suite versions 4.3.x through 5.2.x
Description
The issue concerns the GetResource servlet, which fails to restrict access to files in the pentaho-solutions/system folder. This allows remote attackers to obtain sensitive information, including passwords, by specifying a file name in the
resource parameter.Recommendations
For Pentaho Business Analytics (BA) Suite versions 4.5.x through 5.2.x, restrict access to the GetResource servlet to prevent unauthorized file access.
For Pentaho Data Integration (PDI) Suite versions 4.3.x through 5.2.x, limit access to the GetResource servlet to minimize the risk of sensitive information disclosure.
As a temporary workaround, consider restricting access to the pentaho-solutions/system folder until a patch is available.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pentaho Business Analytics Suite
Pentaho Data Integration Suite