Lucene search

MitreCVELIST:CVE-2021-34685

HistoryNov 08, 2021 - 3:37 a.m.

CVE-2021-34685

2021-11-0803:37:53

mitre

www.cve.org

hitachi vantara pentaho

business analytics

uploadservice

authenticated user

file verification

remote code execution

CVSS3

2.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

AI Score

7.4

Confidence

High

EPSS

0.021

Percentile

89.2%

JSON

UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).

References

packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html

www.hitachi.com/hirt/security/index.html

CVSS3

2.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

AI Score

7.4

Confidence

High

EPSS

0.021

Percentile

89.2%

JSON

Related for CVELIST:CVE-2021-34685