What is the severity of CVE-2025-24908?

The severity of CVE-2025-24908 is classified as high due to the potential for unauthorized file access.

How do I fix CVE-2025-24908?

To fix CVE-2025-24908, update the Pentaho Data Integration & Analytics software to version 10.2.0.2 or later.

What vulnerability is described by CVE-2025-24908?

CVE-2025-24908 describes a path traversal vulnerability that allows manipulation of path names to access restricted directories.

Which versions of Pentaho Data Integration & Analytics are affected by CVE-2025-24908?

Versions of Pentaho Data Integration & Analytics prior to 10.2.0.2, including versions 9.3.x and 8.3.x, are affected by CVE-2025-24908.

What impact does CVE-2025-24908 have on affected systems?

CVE-2025-24908 could allow an attacker to access sensitive files outside of the intended directory, leading to potential data breaches.

Vulnerability/
CVE-2025-24908

medium

6.8

CWE

16/4/2025

17/4/2025

CVE-2025-24908: Hitachi Vantara Pentaho Data Integration & Analytics – Path Traversal

First published: Wed Apr 16 2025(Updated: )

Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35) Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service. Impact This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Credit: security.vulnerabilities@hitachivantara.com

Affected Software	Affected Version	How to fix
Hitachi Vantara Pentaho	<10.2.0.2>=9.3.0<9.3.x>=8.3.0<8.3.x

Never miss a vulnerability like this again

Reference Links

https://support.pentaho.com/hc/en-us/articles/35783399569421--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Path-Traversal-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24908

Frequently Asked Questions

What is the severity of CVE-2025-24908?
The severity of CVE-2025-24908 is classified as high due to the potential for unauthorized file access.
How do I fix CVE-2025-24908?
To fix CVE-2025-24908, update the Pentaho Data Integration & Analytics software to version 10.2.0.2 or later.
What vulnerability is described by CVE-2025-24908?
CVE-2025-24908 describes a path traversal vulnerability that allows manipulation of path names to access restricted directories.
Which versions of Pentaho Data Integration & Analytics are affected by CVE-2025-24908?
Versions of Pentaho Data Integration & Analytics prior to 10.2.0.2, including versions 9.3.x and 8.3.x, are affected by CVE-2025-24908.
What impact does CVE-2025-24908 have on affected systems?
CVE-2025-24908 could allow an attacker to access sensitive files outside of the intended directory, leading to potential data breaches.

collector/mitre-cve
source/MITRE
agent/title
agent/references
agent/weakness
agent/type
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/nvd-api
source/NVD
agent/last-modified-date
agent/source
agent/author
agent/severity
agent/tags
agent/event
vendor/hitachi vantara
canonical/hitachi vantara pentaho

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.