Hitachi Vantara Pentaho Business Analytics Server XML External Entity Injection Vulnerability

Vulnerability

A vulnerability exists in Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.2, including 9.3.x and 8.3.x. The issue arises because the application does not properly safeguard the Pentaho Data Integration MessageSourceCrawler against out-of-band XML External Entity references. This flaw allows an attacker to exploit the XML parsing process by defining an external entity that points to a local file or an external server, potentially leading to unauthorized file access or manipulation of outgoing requests.

Impact

Exploitation of this vulnerability allows for unauthorized reading of local files or manipulation of outgoing requests to external servers, which could be used to bypass firewall restrictions or obscure the source of certain attacks, such as port scanning.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.3

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.3

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hitachi Vantara Pentaho Business Analytics Server XML External Entity Injection Vulnerability

Vulnerability

Impact

Affected Products

Hitachi Vantara Pentaho Business Analytics Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating