CVE-2015-6940
Last modified
CVE-2015-6940 is a vulnerability of currently unknown severity. The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.. EPSS estimates a 2.30% chance of exploitation in the next 30 days.
Description
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pentaho | Data Integration | 4.3 |
| Pentaho | Data Integration | 4.4 |
| Pentaho | Data Integration | 5.0 |
| Pentaho | Data Integration | 5.1 |
| Pentaho | Data Integration | 5.2 |
| Pentaho | Business Analytics | 4.5 |
| Pentaho | Business Analytics | 4.8 |
| Pentaho | Business Analytics | 5.0 |
| Pentaho | Business Analytics | 5.1 |
| Pentaho | Business Analytics | 5.2 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2015-6940?
How severe is CVE-2015-6940?
How do I fix CVE-2015-6940?
Are you affected by CVE-2015-6940?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST