Vulnerability Details : CVE-2015-6940
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.
Vulnerability category: Information leak
Products affected by CVE-2015-6940
- cpe:2.3:a:pentaho:data_integration:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:data_integration:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:data_integration:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:data_integration:4.4:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:data_integration:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:business_analytics:4.8:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:business_analytics:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:business_analytics:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:business_analytics:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pentaho:business_analytics:5.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-6940
0.48%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-6940
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2015-6940
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-6940
-
https://support.pentaho.com/entries/78884125-Security-Vulnerability-Announcement-Feb-2015
The page you were looking for doesn't exist – Pentaho Customer Support PortalPatch;Vendor Advisory
-
http://www.securityfocus.com/archive/1/536477/100/0/threaded
SecurityFocus
-
http://packetstormsecurity.com/files/133601/Pentaho-5.2.x-BA-Suite-PDI-Information-Disclosure.html
Pentaho 5.2.x BA Suite / PDI Information Disclosure ≈ Packet StormExploit
Jump to