CVE-2025-24907 in Pentaho Data Integration & Analytics
Summary
by MITRE • 04/17/2025
Overview
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35)
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the CGG Draw API.
Impact
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability identified as CVE-2025-24907 represents a classic path traversal flaw that exploits improper input validation within the Hitachi Vantara Pentaho Data Integration & Analytics platform. This issue manifests when the system processes external input to construct file pathnames that should remain confined to a specific directory boundary. The flaw specifically involves the CGG Draw API component which fails to adequately sanitize user-provided input, creating an opportunity for malicious actors to manipulate file access patterns through crafted input sequences. The vulnerability falls under CWE-35, which categorizes path traversal attacks that exploit insufficient input validation to escape restricted directories and access unauthorized system resources.
The technical implementation of this vulnerability stems from the failure to properly neutralize or filter specific path manipulation sequences such as '..././/'. These sequences, when processed by the system, can effectively navigate upward through directory structures and bypass intended access controls. The affected versions include multiple release branches spanning from 8.3.x through 9.3.x up to the pre-10.2.0.2 versions, indicating this represents a persistent flaw that has affected the platform across several major releases. The CGG Draw API serves as the attack vector where user-supplied input is directly incorporated into file path construction without adequate sanitization or validation, allowing attackers to construct malicious paths that traverse beyond the intended restricted directory boundaries.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the capability to access arbitrary files and directories on the system. This could potentially expose sensitive configuration files, database credentials, application source code, or other confidential data stored outside the intended restricted areas. The vulnerability creates a direct pathway for privilege escalation and lateral movement within the system, as attackers can leverage this flaw to discover and access files that should remain protected. From an attack perspective, this represents a critical security weakness that can be exploited without requiring elevated privileges, making it particularly dangerous in environments where the Pentaho platform handles sensitive data processing tasks.
Organizations utilizing affected versions of Hitachi Vantara Pentaho Data Integration & Analytics should prioritize immediate remediation through the available patches or updates that address this path traversal vulnerability. The mitigation strategy should include implementing proper input validation and sanitization for all external inputs used in file path construction, particularly within API endpoints like the CGG Draw API. Security teams should also consider implementing additional protective measures such as restricting file system access permissions for the application, employing web application firewalls to detect and block malicious path traversal attempts, and conducting comprehensive security assessments of all file access points within the platform. The vulnerability aligns with attack techniques documented in the MITRE ATT&CK framework under the T1059 category of command and scripting interpreter, as attackers can leverage this flaw to execute arbitrary file system operations and potentially gain deeper system access.