Vulnerability Description
UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hitachi | Vantara Pentaho | <= 9.1.0.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-BExploitThird Party AdvisoryVDB Entry
- https://www.hitachi.com/hirt/security/index.htmlVendor Advisory
- http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-BExploitThird Party AdvisoryVDB Entry
- https://www.hitachi.com/hirt/security/index.htmlVendor Advisory
FAQ
What is CVE-2021-34685?
CVE-2021-34685 is a vulnerability with a CVSS score of 2.7 (LOW). UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types...
How severe is CVE-2021-34685?
CVE-2021-34685 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-34685?
Check the references section above for vendor advisories and patch information. Affected products include: Hitachi Vantara Pentaho.