Home

Description

Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35) Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the CGG Draw API. Impact This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

PUBLISHED Reserved 2025-01-27 | Published 2025-04-16 | Updated 2025-04-17 | Assigner HITVAN




MEDIUM: 6.8CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Problem types

CWE-35: Path Traversal: '.../...//'

Product status

Default status
unaffected

1.0 (maven)
affected

10.0 (maven) before 10.2.0.2
affected

Credits

Hitachi Group Member finder

References

support.pentaho.com/...cluding-9-3-x-Impacted-CVE-2025-24907

cve.org (CVE-2025-24907)

nvd.nist.gov (CVE-2025-24907)

Download JSON