CVE-2021-34685

Name of the Vulnerable Software and Affected Versions: Hitachi Vantara Pentaho Business Analytics versions through 9.1

Description: The issue allows an authenticated user to upload various files of different file types due to improper verification of uploaded user files. Specifically, uploading a .jsp. file is allowed, which can lead to remote code execution, even though a .jsp file is not allowed.

Recommendations: For Hitachi Vantara Pentaho Business Analytics versions through 9.1, consider restricting file uploads to only necessary file types and ensure proper verification of uploaded files to prevent remote code execution. As a temporary workaround, consider disabling the file upload feature in the UploadService until a proper fix is available.