CVE-2021-34685

Опубликовано: 08 нояб. 2021

Источник: nvd

CVSS3: 2.7

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).

Ссылки

http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html
Exploit
Third Party Advisory
VDB Entry
https://www.hitachi.com/hirt/security/index.html
Vendor Advisory
http://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html
Exploit
Third Party Advisory
VDB Entry
https://www.hitachi.com/hirt/security/index.html
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*

Версия до 9.1.0.0 (включая)

EPSS

Процентиль: 83%

0.0197

Низкий

2.7 Low

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-v548-fhp9-qm3w

github

больше 3 лет назад

EPSS

Процентиль: 83%

0.0197

Низкий

2.7 Low

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434