Security News > 2021 > November > Critical Flaws Uncovered in Pentaho Business Analytics Software
Multiple vulnerabilities have been disclosed in Hitachi Vantara's Pentaho Business Analytics software that could be abused by malicious actors to upload arbitrary data files and even execute arbitrary code on the underlying host system of the application.
Pentaho is a Java-based business intelligence platform that offers data integration, analytics, online analytical processing, and mining capabilities, and counts major companies and organizations like Bell, CERN, Cipal, Logitech, Nasdaq, Telefonica, Teradata, and the National September 11 Memorial and Museum among its customers.
The list of flaws, which affect Pentaho Business Analytics versions 9.1 and lower, is as follows -.
Successful exploitation of the flaws could allow authenticated users with sufficient role permissions to upload and run Pentaho Report Bundles to run malicious code on the host server and exfiltrate sensitive application data, and circumvent filename extension restrictions enforced by the application and upload files of any type.
What's more, they could also be leveraged by a low-privilege authenticated attacker to retrieve credentials and connection details of all Pentaho data sources, permitting the party to harvest and transmit data, in addition to enabling an unauthenticated user to execute arbitrary SQL queries on the backend database and retrieve data.
In light of the critical nature of the flaws and the risk they pose to the underlying system, users of the application are highly recommended to update to the latest version.