{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T07:17:06.375","vulnerabilities":[{"cve":{"id":"CVE-2025-24908","sourceIdentifier":"security.vulnerabilities@hitachivantara.com","published":"2025-04-16T23:15:45.147","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Overview \n\n\n\n \n\n\n\nThe product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35) \n\n\n\n \n\n\n\nDescription \n\n\n\n \n\n\n\nHitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service. \n\n\n\n \n\n\n\nImpact \n\n\n\n \n\n\n\nThis allows attackers to traverse the file system to access files or directories that are outside of the restricted directory."},{"lang":"es","value":"Descripción general: El producto utiliza entradas externas para construir una ruta de acceso que debería estar dentro de un directorio restringido, pero no neutraliza correctamente las secuencias \".../...//\" (doble punto y triple barra diagonal) que pueden resolverse en una ubicación fuera de ese directorio. (CWE-35) Descripción: Las versiones de Hitachi Vantara Pentaho Data Integration &amp; Analytics anteriores a la 10.2.0.2, incluidas las 9.3.x y 8.3.x, no sanean una entrada de usuario utilizada como ruta de archivo a través del servicio UploadFile. Impacto: Esto permite a los atacantes atravesar el sistema de archivos para acceder a archivos o directorios que están fuera del directorio restringido."}],"metrics":{"cvssMetricV31":[{"source":"security.vulnerabilities@hitachivantara.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.0}]},"weaknesses":[{"source":"security.vulnerabilities@hitachivantara.com","type":"Secondary","description":[{"lang":"en","value":"CWE-35"}]}],"references":[{"url":"https://support.pentaho.com/hc/en-us/articles/35783399569421--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Path-Traversal-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24908","source":"security.vulnerabilities@hitachivantara.com"}]}}]}