Hitachi Vantara Pentaho Business Analytics Server - does not adequately filter user-controlled input for special elements with control implications. (CWE-75)
Hitachi Vantara Pentaho Business Analytics Server versions before 18.104.22.168 and 22.214.171.124, including 8.3.x are impacted.
Hitachi Vantara Pentaho Business Analytics Server prior to versions 126.96.36.199 and 188.8.131.52, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
When the vulnerability is leveraged, the attacker can inject Spring templates into properties files, allowing for arbitrary command execution. .
We recommend you upgrade to the latest Hitachi Vantara Pentaho version 9.4 release with Service Pack 184.108.40.206. For version 9.3 we recommend updating to Service Packs 220.127.116.11 or above where this vulnerability is addressed.
Please review the Pentaho End-of-Life policy to ensure you are up to date.
This issue is logged under JIRA PPP-4791