Support Expiration Notice: Pentaho 9.3 will reach end of support on July 1, 2026. See this article for details.

Customer Portal

Get a grip on your data

With battle-tested solutions and a focus on foundational strength,

Pentaho helps you meet the challenges of an AI-driven world.

  1. Pentaho Customer Portal
  2. Known Vulnerability Updates
  3. Security Updates

(Resolved) Pentaho Data Integration & Analytics - Server-generated Error Message Containing Sensitive Information - Versions before 10.1.0.0 and 9.3.0.6 Impacted (CVE-2023-5617)

by Robert Howell - Follow

Overview 

Certain conditions, such as network failure, will cause a server error message to be displayed. (CWE-550)

 

Products Affected 

Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.6

 

Description 

Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.6 display the version of Tomcat when a server error is encountered.

 

Impact 

While error messages in and of themselves are not dangerous, per se, it is what an attacker can glean from them that might cause eventual problems. 

 

Action  

We recommend you upgrade to Pentaho Data Integration & Analytics version 10.1 or newer. For Pentaho 9.3, we recommend applying the 9.3.0.6 Service Pack or newer.

Please review the Pentaho End-of-Life policy to ensure you are up to date.

 

Internal Notes: (Non Customer View-able - Non Confidential)

This issue is logged under JIRA PPP-4956

Comments