CVE-2021-31600
Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all valid usernames.
Se ha detectado un problema en Hitachi Vantara Pentaho versiones hasta 9.1 y en Pentaho Business Intelligence Server versiones hasta 7.x. Implementan una serie de servicios web que usan el protocolo SOAP para permitir una interacción de scripts con el servidor backend. Un usuario autenticado (independientemente de sus privilegios) puede enumerar todos los nombres de usuario válidos
Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-04-23 CVE Reserved
- 2021-11-05 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-552: Files or Directories Accessible to External Parties
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
http://packetstormsecurity.com/files/164787/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-User-Enumeration.html | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.hitachi.com/hirt/security/index.html | 2021-11-09 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Hitachi Search vendor "Hitachi" | Vantara Pentaho Search vendor "Hitachi" for product "Vantara Pentaho" | <= 9.1.0.0 Search vendor "Hitachi" for product "Vantara Pentaho" and version " <= 9.1.0.0" | - |
Affected
| ||||||
Hitachi Search vendor "Hitachi" | Vantara Pentaho Business Intelligence Server Search vendor "Hitachi" for product "Vantara Pentaho Business Intelligence Server" | <= 7.1 Search vendor "Hitachi" for product "Vantara Pentaho Business Intelligence Server" and version " <= 7.1" | - |
Affected
|