Hitachi Vantara Pentaho Business Analytics Server XML External Entity Injection Vulnerability

Vulnerability

A vulnerability exists in Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.2, including 9.3.x and 8.3.x. The issue arises because the Data Access XMLParserFactoryProducer does not properly safeguard against out-of-band XML External Entity references. This flaw allows an attacker to exploit the XML parsing process by defining an external entity that points to a local file or an external server, potentially leading to unauthorized file access or manipulation of outgoing requests.

Impact

Exploitation of this vulnerability allows for arbitrary file reading from the server where Pentaho is running. Additionally, it could enable an attacker to make outgoing requests to external servers, bypassing firewall restrictions or obscuring the origin of certain attacks, such as port scanning.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.3

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.3

exploitability

4.8

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hitachi Vantara Pentaho Business Analytics Server XML External Entity Injection Vulnerability

Vulnerability

Impact

Affected Products

Hitachi Vantara Pentaho Business Analytics Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating