CVE-2025-24907

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.2, including 9.3.x and 8.3.x

Description The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Recommendations For versions prior to 10.2.0.2, including 9.3.x and 8.3.x, update to version 10.2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the CGG Draw API to minimize the risk of exploitation.