Hey guys,
I tried reporting this directly to the vendor privately but they won't fix the issue unless an enterprise edition is purchased. I'm posting a Github issue so hopefully someone can provide a patch for the community edition.
Pentaho's xml parser does not disable the parsing of external entities, which is turned on by default. This is a problem because an attacker can upload a malicious XML file and read arbitrary files off the server and send the contents to a remote server.
An example of the vulnerability exists when importing a new Manage Data Sources > Import Metadata.
Hey guys,
I tried reporting this directly to the vendor privately but they won't fix the issue unless an enterprise edition is purchased. I'm posting a Github issue so hopefully someone can provide a patch for the community edition.
Pentaho's xml parser does not disable the parsing of external entities, which is turned on by default. This is a problem because an attacker can upload a malicious XML file and read arbitrary files off the server and send the contents to a remote server.
An example of the vulnerability exists when importing a new Manage Data Sources > Import Metadata.