CVE-2015-6940
Pentaho Business Analytics and Data Integration - Exposure of Sensitive Information via GetResource Servlet
Title source: llmDescription
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/536477/100/0/threaded
Exploit x_refsource_misc
http://packetstormsecurity.com/files/133601/Pentaho-5.2.x-BA-Suite-PDI-Information-Disclosure.html
Patch, Vendor Advisory x_refsource_confirm
https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015
Scores
EPSS
0.0230
EPSS Percentile
81.2%
Details
CWE
CWE-200
Status
published
Products (10)
pentaho/business_analytics
4.5
pentaho/business_analytics
4.8
pentaho/business_analytics
5.0
pentaho/business_analytics
5.1
pentaho/business_analytics
5.2
pentaho/data_integration
4.3
pentaho/data_integration
4.4
pentaho/data_integration
5.0
pentaho/data_integration
5.1
pentaho/data_integration
5.2
Published
Sep 22, 2015
Tracked Since
Feb 18, 2026