Vulnerability Description
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pentaho | Data Integration | 4.3 |
| Pentaho | Business Analytics | 4.5 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/133601/Pentaho-5.2.x-BA-Suite-PDI-InformatiExploit
- http://www.securityfocus.com/archive/1/536477/100/0/threaded
- https://support.pentaho.com/entries/78884125-Security-Vulnerability-AnnouncementPatchVendor Advisory
- http://packetstormsecurity.com/files/133601/Pentaho-5.2.x-BA-Suite-PDI-InformatiExploit
- http://www.securityfocus.com/archive/1/536477/100/0/threaded
- https://support.pentaho.com/entries/78884125-Security-Vulnerability-AnnouncementPatchVendor Advisory
FAQ
What is CVE-2015-6940?
CVE-2015-6940 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict ...
How severe is CVE-2015-6940?
CVE-2015-6940 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-6940?
Check the references section above for vendor advisories and patch information. Affected products include: Pentaho Data Integration, Pentaho Business Analytics.