Lucene search

HITVANCVELIST:CVE-2022-43771

HistoryApr 03, 2023 - 6:40 p.m.

CVE-2022-43771 Hitachi Vantara Pentaho Business Analytics Server - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

2023-04-0318:40:01

CWE-22

HITVAN

www.cve.org

cve-2022-43771

hitachi vantara

pentaho business analytics

path traversal

csv import

security vulnerability

information disclosure

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.8%

JSON

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Data Access Plugin"
    ],
    "product": "Pentaho Business Analytics Server",
    "vendor": "Hitachi Vantara",
    "versions": [
      {
        "lessThan": "9.3.0.1",
        "status": "affected",
        "version": "1.0",
        "versionType": "maven"
      }
    ]
  }
]

References

support.pentaho.com/hc/en-us/articles/14455007818509--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Limitation-of-a-Pathname-to-a-Restricted-Directory-Path-Traversal-Versions-before-9-4-0-0-and-9-3-0-1-including-8-3-x-Impacted-CVE-2022-43771-

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.8%

JSON

Related for CVELIST:CVE-2022-43771