CVE-2025-0756

Overview   The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)   Description   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.   Impact   An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.

Overview   The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)   Description   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.   Impact   An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.

Descripción general, el producto recibe información de un componente ascendente, pero no restringe o restringe incorrectamente la información antes de que se use como identificador para un recurso que puede estar fuera del ámbito de control previsto. (CWE-99) Descripción: las versiones de Hitachi Vantara Pentaho Data Integration & Analytics anteriores a la 10.2.0.2, incluidas las 9.3.x y 8.3.x, no restringen los identificadores JNDI durante la creación de orígenes de datos de la plataforma. Impacto Un atacante podría obtener acceso o modificar datos o recursos del sistema sensibles. Esto podría permitir el acceso a archivos o directorios protegidos, incluidos archivos de configuración y archivos que contienen información sensible, lo que puede provocar la ejecución remota de código por parte de usuarios no autorizados.