CVE-2022-43771

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server version 9.3.0.1 and earlier Hitachi Vantara Pentaho Business Analytics Server versions 8.3.x

Description The issue is related to incorrect restriction of a directory path name with limited access. This can allow a remote attacker to gain unauthorized access to protected information. The Pentaho Data Access plugin exposes a service endpoint for CSV import, which allows a user-supplied path to access resources that are out of bounds.

Recommendations For versions prior to 9.4.0.0, update to version 9.4.0.0 or later. For version 9.3.0.1 and earlier, update to version 9.3.0.1 or later, or apply the necessary patch. For versions 8.3.x, consider disabling the Pentaho Data Access plugin until a patch is available, or restrict access to the CSV import service endpoint to minimize the risk of exploitation.