Overview
Hitachi Vantara Pentaho Business Analytics Server - does not adequately filter user-controlled input for special elements with control implications. (CWE-75)
Products Affected
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.2, including 8.3.x are impacted.
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
Impact
When the vulnerability is leveraged, the attacker can inject Spring templates into properties files, allowing for arbitrary command execution. .
Action
We recommend you upgrade to the latest Hitachi Vantara Pentaho version 9.4 release with Service Pack 9.4.0.1. For version 9.3 we recommend updating to Service Packs 9.3.0.2 or above where this vulnerability is addressed.
Please review the Pentaho End-of-Life policy to ensure you are up to date.
Comments