Published: 22/09/2015 Updated: 09/10/2018

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x up to and including 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x up to and including 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote malicious users to obtain passwords and other sensitive information via a file name in the resource parameter.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pentaho data integration 4.3
pentaho data integration 5.1
pentaho data integration 5.2
pentaho data integration 4.4
pentaho data integration 5.0
pentaho business analytics 4.8
pentaho business analytics 5.0
pentaho business analytics 4.5
pentaho business analytics 5.1
pentaho business analytics 5.2

Pentaho version 52x GA BA Suite and PDI allow unauthenticated access to configuration files The GetResource servlet, a vestige of the old platform UI, allows unauthenticated access to resources in the pentaho-solutions/system folder Specifically vulnerable are properties files that may reveal passwords ...

CWE-200 http://packetstormsecurity.com/files/133601/Pentaho-5.2.x-BA-Suite-PDI-Information-Disclosure.html https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015 http://www.securityfocus.com/archive/1/536477/100/0/threaded https://nvd.nist.gov https://packetstormsecurity.com/files/133601/Pentaho-5.2.x-BA-Suite-PDI-Information-Disclosure.html

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2015-6940

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect