oss-sec mailing list archives
CVE Request - XXE in Pentaho Business Analytics 6.0.1.0.386
From: Brendan Scarvell <bscarvell () iix net>
Date: Fri, 22 Apr 2016 11:32:26 +1000
Hi there, I've discovered an XXE vulnerability in Pentaho Business Analytics Community Edition 6.0.1.0.386 due to Pentaho's xml parser not disabling the parsing of external entities. This issue has been reported to the vendor several times, who has refused to fix it in the community edition unless an enterprise license is purchased. I've created a Github issue ( https://github.com/pentaho/data-access/issues/728) for someone in the community to submit a patch. Could a CVE ID please be assigned to this issue. Thanks, Brendan Scarvell
Current thread:
- CVE Request - XXE in Pentaho Business Analytics 6.0.1.0.386 Brendan Scarvell (Apr 21)