CVE-2021-31601

Pentaho Business Analytics / Pentaho Business Server 9.1 Insufficient Access Control

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials.

Se ha detectado un problema en Hitachi Vantara Pentaho versiones hasta 9.1 y en Pentaho Business Intelligence Server versiones hasta 7.x. Implementan una serie de servicios web que usan el protocolo SOAP para permitir una interacción de scripts con el servidor backend. Un usuario autenticado (independientemente de los privilegios) puede listar todos los detalles de conexión de las bases de datos y las credenciales

Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. While most of the interfaces correctly implement ACL, the Data Source Management Service located at /pentaho/webservices/datasourceMgmtService allows low-privilege authenticated users to list the connection details of all data sources used by Pentaho.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-04-23 CVE Reserved
2021-11-05 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-09-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
http://packetstormsecurity.com/files/164779/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Insufficient-Access-Control.html	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://www.hitachi.com/hirt/security/index.html	2022-07-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hitachi Search vendor "Hitachi"		Vantara Pentaho Search vendor "Hitachi" for product "Vantara Pentaho"				<= 9.1.0.0 Search vendor "Hitachi" for product "Vantara Pentaho" and version " <= 9.1.0.0"		-		Affected
Hitachi Search vendor "Hitachi"		Vantara Pentaho Business Intelligence Server Search vendor "Hitachi" for product "Vantara Pentaho Business Intelligence Server"				<= 7.1 Search vendor "Hitachi" for product "Vantara Pentaho Business Intelligence Server" and version " <= 7.1"		-		Affected