User Enumeration Vulnerability in Hitachi Vantara Pentaho Business Intelligence Server
CVE-2021-31600

4.3MEDIUM

Key Information:

Vendor: Hitachi
Status: Vantara Pentaho; Vantara Pentaho Business Intelligence Server
Vendor: CVE Published:; 8 November 2021

Summary

A vulnerability has been identified in Hitachi Vantara's Pentaho Business Intelligence Server 9.1 and earlier 7.x versions, where web services utilizing the SOAP protocol enable authenticated users to enumerate valid usernames within the system. This issue exposes a critical component of user management, allowing any authenticated individual—regardless of their access privileges—to discover all existing usernames, potentially leading to further attacks or unauthorized access attempts.

References

https://www.hitachi.com/hirt/security/index.html

x_refsource_MISC

http://packetstormsecurity.com/files/164787/Pentaho-Busin...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2021
Vulnerability Reserved
Apr 23, 2021