CVE-2021-45448 is a path traversal vulnerability identified in Hitachi Vantara's Pentaho Business Analytics Server, specifically affecting versions prior to 9.2.0.2 and 8.3.0.25 that utilize the Pentaho Analyzer plugin. The vulnerability arises because the server exposes a service endpoint for templates that improperly handles user-supplied file path inputs. The software attempts to construct a pathname intended to reference files or directories within a restricted parent directory. However, it fails to adequately sanitize or neutralize special path elements such as ".." (parent directory traversal) and directory separators "/", allowing attackers to manipulate the pathname to escape the restricted directory boundaries. This improper limitation of pathname (CWE-22) enables an attacker to access arbitrary files or directories elsewhere on the underlying system, potentially including sensitive configuration files, credentials, or other critical data. The vulnerability requires low attack complexity (no user interaction needed), but does require the attacker to have some level of privileges (PR:L - privileges required: low). The CVSS v3.1 base score is 7.1 (high severity), reflecting high confidentiality impact, low integrity impact, and no availability impact. No known exploits in the wild have been reported to date. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). This flaw can lead to unauthorized disclosure of sensitive information, which could be leveraged for further attacks or lateral movement within an affected environment.

For European organizations using Hitachi Vantara Pentaho Business Analytics Server, this vulnerability poses a significant risk to confidentiality of sensitive business intelligence data and system files. Unauthorized access to files outside the intended directory could expose proprietary analytics data, user credentials, configuration files, or other sensitive information. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Since Pentaho is often deployed in enterprise environments for data analytics and reporting, attackers gaining access to internal files could also facilitate further attacks such as privilege escalation or lateral movement within corporate networks. The integrity impact is limited, but the confidentiality breach alone is critical given the nature of data handled by analytics platforms. Availability is not directly impacted, so denial-of-service is unlikely. The requirement for low privileges means that insider threats or compromised low-level accounts could exploit this vulnerability. European organizations in sectors such as finance, manufacturing, telecommunications, and government that rely on Pentaho for analytics are particularly at risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate risk, as attackers may develop exploits given the public disclosure.

1. Upgrade Pentaho Business Analytics Server to version 9.2.0.2 or later, or 8.3.0.25 or later, where this vulnerability has been patched. 2. If immediate upgrade is not possible, implement strict network segmentation and access controls to limit access to the Pentaho server endpoints, especially the template service endpoint. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block path traversal patterns such as '..' sequences in URL parameters targeting the template service. 4. Conduct thorough code reviews and input validation on any custom plugins or extensions interacting with file paths to ensure proper sanitization and canonicalization of user inputs. 5. Monitor logs for suspicious access patterns or attempts to access unauthorized file paths. 6. Enforce the principle of least privilege on user accounts accessing the Pentaho server to minimize the risk of exploitation by low-privilege users. 7. Regularly audit and restrict file system permissions on the server to limit the impact of any unauthorized file access. 8. Educate administrators and security teams on this vulnerability to ensure timely patching and monitoring.