CVE-2025-24910

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.2 Hitachi Vantara Pentaho Business Analytics Server versions 9.3.x Hitachi Vantara Pentaho Business Analytics Server versions 8.3.x

Description The issue concerns XML External Entity Reference, where an XML document's Document Type Definition (DTD) can define entities using URI substitutions. This allows an attacker to submit an XML file that defines an external entity with a file:// URI, causing the processing application to read local file contents. Attackers can also use URIs with other schemes, such as http://, to force the application to make outgoing requests to servers, potentially bypassing firewall restrictions or hiding the source of attacks like port scanning.

Recommendations For Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.2, update to version 10.2.0.2 or later to resolve the issue. For Hitachi Vantara Pentaho Business Analytics Server versions 9.3.x and 8.3.x, update to version 10.2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Pentaho Data Integration MessageSourceCrawler to minimize the risk of exploitation.