UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html | Exploit Third Party Advisory VDB Entry |
https://www.hitachi.com/hirt/security/index.html | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-11-08T03:37:53
Updated: 2021-11-08T03:37:53
Reserved: 2021-06-14T00:00:00
Link: CVE-2021-34685
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-11-08T04:15:08.377
Modified: 2021-11-09T21:52:39.497
Link: CVE-2021-34685
JSON object: View
Redhat Information
No data.
CWE