Vulnerability CVE-2015-6940
Published: 2015-09-22

Description:
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Pentaho 5.2.x BA Suite / PDI Information Disclosure
Gregory DRAPERI
20.09.2015

Type:

CWE-200

 (Information Exposure)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Pentaho -> Business analytics 
Pentaho -> Data integration 

 References:
http://packetstormsecurity.com/files/133601/Pentaho-5.2.x-BA-Suite-PDI-Information-Disclosure.html
http://www.securityfocus.com/archive/1/536477/100/0/threaded
https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015
Copyright 2024, cxsecurity.com

 

Back to Top