CVE-2025-24908
📋 TL;DR
This path traversal vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics allows attackers to access files outside restricted directories by exploiting improper sanitization of '.../...//' sequences in file paths. Organizations using affected versions (before 10.2.0.2, including 9.3.x and 8.3.x) are at risk, particularly those with internet-facing instances.
💻 Affected Systems
- Hitachi Vantara Pentaho Data Integration & Analytics
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, configuration files, or application data, potentially leading to credential theft, data exfiltration, or further system compromise.
Likely Case
Unauthorized file access leading to information disclosure of application configuration, user data, or system information that could enable further attacks.
If Mitigated
Limited to accessing only non-sensitive files within the application's directory structure if proper input validation and access controls are implemented.
🎯 Exploit Status
Exploitation requires access to the UploadFile service endpoint, which typically requires authentication. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.2.0.2
Restart Required: Yes
Instructions:
1. Download version 10.2.0.2 from official Pentaho sources. 2. Backup current installation and data. 3. Stop all Pentaho services. 4. Apply the update following vendor documentation. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Restrict UploadFile Service Access
allLimit network access to the UploadFile service endpoint using firewall rules or application-level access controls.
Implement Input Validation Proxy
allDeploy a reverse proxy or WAF that filters path traversal sequences before they reach the application.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Pentaho instances from sensitive systems
- Enable detailed logging and monitoring for file access attempts through the UploadFile service
🔍 How to Verify
Check if Vulnerable:
Check the Pentaho version in the administration console or by examining installation files. Versions before 10.2.0.2 are vulnerable.Check Version:
Check the version.properties file in the Pentaho installation directory or use the administration web interface.Verify Fix Applied:
After patching, verify the version shows 10.2.0.2 or later. Test the UploadFile service with path traversal attempts to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in UploadFile service logs
- Multiple failed file access attempts with traversal sequences
- Access to files outside expected directories
Network Indicators:
- HTTP requests to UploadFile endpoint containing '.../' sequences
- Unusual file access patterns from single sources
SIEM Query:
source="pentaho_logs" AND ("UploadFile" AND (".../" OR "../" OR "..\"))