CVE Vulnerability

CVE-2021-34685

UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).

6.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

7.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.hitachi.com/hirt/security/index.html Vendor Advisory
http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*
Information

Published : 2021-11-08 04:15

Updated : 2021-11-09 09:52

NVD link : CVE-2021-34685

Mitre link : CVE-2021-34685

Products Affected
No products.
CWE
CWE-434