CVE-2025-9122
📋 TL;DR
This vulnerability in Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework exposes detailed server stack traces through error messages in the GetCdfResource servlet. Attackers can use this sensitive information to understand the application's internal structure and potentially identify other vulnerabilities. Organizations running affected versions of Pentaho are impacted.
💻 Affected Systems
- Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain detailed internal server information that could be used to craft targeted attacks, potentially leading to further exploitation of other vulnerabilities in the system.
Likely Case
Information disclosure that reveals server configuration details, software versions, and internal paths, which could aid attackers in reconnaissance and planning subsequent attacks.
If Mitigated
Limited information exposure that doesn't directly lead to system compromise but still provides some reconnaissance value to attackers.
🎯 Exploit Status
Exploitation requires triggering an error condition in the GetCdfResource servlet
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.2.0.4 or later
Restart Required: Yes
Instructions:
1. Download and install Pentaho version 10.2.0.4 or later from official sources. 2. Apply the update to all affected servers. 3. Restart the Pentaho service. 4. Verify the fix by testing error conditions.
🔧 Temporary Workarounds
Configure custom error pages
allImplement custom error handling to prevent stack trace exposure
Configure web.xml with custom error pages for HTTP 500 errors
Implement error handling filters in the application
Restrict access to GetCdfResource servlet
allLimit access to the vulnerable endpoint using network controls
Configure firewall rules to restrict access to /pentaho/api/repos/:path:/cdf/resource endpoint
Implement IP whitelisting for the servlet
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to filter error responses containing stack traces
- Monitor and alert on access attempts to the GetCdfResource servlet that trigger errors
🔍 How to Verify
Check if Vulnerable:
Access the GetCdfResource servlet endpoint and trigger an error condition. If detailed stack traces are displayed in the response, the system is vulnerable.Check Version:
Check the Pentaho version in the administration console or via the web interfaceVerify Fix Applied:
After patching, trigger the same error condition and verify that only generic error messages are returned without stack traces.📡 Detection & Monitoring
Log Indicators:
- HTTP 500 errors from GetCdfResource servlet endpoints
- Unusual error patterns in application logs
Network Indicators:
- HTTP requests to /pentaho/api/repos/*/cdf/resource endpoints resulting in error responses
SIEM Query:
source="pentaho_logs" AND (status=500 AND uri="/pentaho/api/repos/*/cdf/resource")