CVE-2021-45448

Name of the Vulnerable Software and Affected Versions Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25

Description The issue allows a user-supplied path to access resources that are out of bounds, due to the software's failure to properly neutralize special elements within the pathname. This can cause the pathname to resolve to a location outside of the restricted directory. Attackers can exploit this by using special elements such as .. and / separators to escape outside of the restricted location and access files or directories elsewhere on the system.

Recommendations For versions before 9.2.0.2, update to version 9.2.0.2 or later. For versions before 8.3.0.25, update to version 8.3.0.25 or later. As a temporary workaround, consider restricting access to the service endpoint for templates in the Pentaho Analyzer plugin until a patch is available.