Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information

Vulnerability

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.2, including the 8.3.x line, generate an error message that includes the full server path when a file with an invalid character in its name is uploaded. This is a CWE-209 (Generation of Error Message Containing Sensitive Information) weakness [1].

Exploitation

An attacker with the ability to upload a file to the Pentaho BA Server can trigger the vulnerability by providing a filename containing an invalid character. No special privileges beyond file upload access are required. The server responds with an error message that discloses the absolute path of the target directory on the host filesystem [1].

Impact

Successful exploitation reveals the server’s internal path structure, which an attacker can leverage to craft more precise attacks, such as path traversal (CWE-22) attempts. The information disclosure itself does not grant code execution or data modification, but it lowers the barrier for subsequent, more severe exploits [1].

Mitigation

Hitachi Vantara has addressed the issue in Pentaho BA Server version 9.4.0.0 and in Service Pack 9.3.0.2 for the 9.3 release line. Users on older branches should upgrade to one of these fixed versions. No workaround is documented; the vendor recommends reviewing the Pentaho End-of-Life policy to ensure the deployed version is still supported [1].