Overview 

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)

 

Products Affected 

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x

 

Description 

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service.

 

Impact 

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

 

Action  

We recommend you upgrade to the latest Hitachi Vantara Pentaho Data Integration & Analytics release or Service Pack where this vulnerability is addressed.

Please review the Pentaho End-of-Life policy to ensure you are up to date.

 

---