CVE-2021-31600

Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all valid usernames.

Se ha detectado un problema en Hitachi Vantara Pentaho versiones hasta 9.1 y en Pentaho Business Intelligence Server versiones hasta 7.x. Implementan una serie de servicios web que usan el protocolo SOAP para permitir una interacción de scripts con el servidor backend. Un usuario autenticado (independientemente de sus privilegios) puede enumerar todos los nombres de usuario válidos

Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-04-23 CVE Reserved
2021-11-05 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-552: Files or Directories Accessible to External Parties

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
http://packetstormsecurity.com/files/164787/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-User-Enumeration.html	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://www.hitachi.com/hirt/security/index.html	2021-11-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hitachi Search vendor "Hitachi"		Vantara Pentaho Search vendor "Hitachi" for product "Vantara Pentaho"				<= 9.1.0.0 Search vendor "Hitachi" for product "Vantara Pentaho" and version " <= 9.1.0.0"		-		Affected
Hitachi Search vendor "Hitachi"		Vantara Pentaho Business Intelligence Server Search vendor "Hitachi" for product "Vantara Pentaho Business Intelligence Server"				<= 7.1 Search vendor "Hitachi" for product "Vantara Pentaho Business Intelligence Server" and version " <= 7.1"		-		Affected