Local File Inclusion (CVE-2024-9100) Vulnerability in Analytics Plus on-premise

Severity: Medium

CVE ID: CVE-2024-9100

Product name Affected Software Version(s) Fixed Version Fixed On
Analytics Plus on-premise All Analytics Plus on-premise builds below 5410 Build 5410 June 04, 2024

Details

A Local File Inclusion (LFI) vulnerability has been discovered in Analytics Plus on-premise. This vulnerability enables an authenticated user to read arbitrary files from the server's file system through HSQLDB queries, potentially exposing sensitive information.

Impact

This vulnerability allows users to access and read sensitive system files and configuration settings on the server.

Fix

The issue has been resolved by implementing restrictions on the use of specific keywords in SQL queries. These restricted keywords include load_file,database_name, database_version, and others.

Steps to upgrade

  1. Kindly download the latest upgrade pack from the service pack page.
  2. Follow the instructions detailed in the above service pack page to upgrade to the latest build.

Acknowledgements

This vulnerability was reported by Nandhaguru through our Bug Bounty portal.

For any questions or concerns, please write to us at: