CVE-2025-24911 in Pentaho Business Analytics Server
Summary
by MITRE • 04/17/2025
Overview
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611)
Description
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference.
Impact
By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability described in CVE-2025-24911 represents a critical security flaw in Hitachi Vantara Pentaho Business Analytics Server affecting versions prior to 10.2.0.2. This issue stems from inadequate protection against out-of-band XML External Entity (XXE) references within the Data Access XMLParserFactoryProducer component. The vulnerability operates through the standard XML processing mechanism where Document Type Definitions (DTDs) can optionally contain entity definitions that reference external resources. When an attacker crafts a malicious XML document with a DTD that defines an entity using a file:// URI scheme, the XML parser processes this reference and retrieves the specified local file content. This processed data is then fed back into the application context, potentially exposing sensitive file contents through error messages or other application responses.
The technical implementation of this vulnerability aligns with CWE-611, which specifically addresses improper restriction of XML external entity reference. The flaw exists in the XML parsing logic of the Pentaho Business Analytics Server where the XMLParserFactoryProducer component fails to properly sanitize or restrict external entity references. When an XML document containing a malicious DTD is processed, the application's XML parser attempts to resolve the external entity reference by reading the file specified in the URI. The file:// URI scheme allows direct access to local filesystem resources, enabling attackers to read arbitrary files on the server. Additionally, the vulnerability extends beyond simple file reading through other URI schemes like http:// which can be used to force the application to make outbound network requests, potentially circumventing firewall restrictions and enabling covert reconnaissance activities.
The operational impact of this vulnerability is significant for organizations using affected Pentaho versions, as it provides attackers with unauthorized access to local file systems and potentially sensitive data stored on the server. The ability to read local files may expose configuration files, database credentials, application source code, or other confidential information that could lead to further compromise. Furthermore, the network request capability through HTTP URIs enables attackers to perform port scanning or other reconnaissance activities while masking their true source, making detection more difficult. This vulnerability could be exploited by remote attackers without requiring authentication, making it particularly dangerous in environments where the Pentaho server is accessible from untrusted networks. The impact extends beyond immediate data exposure to potentially enable privilege escalation, lateral movement, or complete system compromise depending on the file contents and system configuration.
Organizations should immediately upgrade to Pentaho Business Analytics Server version 10.2.0.2 or later to remediate this vulnerability. Additionally, administrators should implement strict XML parsing configurations that disable external entity resolution and DTD processing entirely. The recommended mitigations align with ATT&CK technique T1213.002 for data from information repositories and T1071.004 for application layer protocols, as these approaches help prevent unauthorized data access and network communication. Network segmentation and firewall rules should be enforced to limit access to the Pentaho server, while monitoring should be implemented to detect unusual outbound network requests that may indicate exploitation attempts. Input validation and sanitization of all XML content should be enforced at multiple layers of the application architecture, and regular security assessments should be conducted to identify potential XXE vulnerabilities in other XML processing components within the organization's infrastructure.