Insufficient Access Control in Hitachi Vantara Pentaho and Business Intelligence Server
CVE-2021-31601

7.1HIGH

Key Information:

Vendor: Hitachi
Status: Vantara Pentaho; Vantara Pentaho Business Intelligence Server
Vendor: CVE Published:; 8 November 2021

Summary

In Hitachi Vantara's Pentaho and Pentaho Business Intelligence Server, an issue allows an authenticated user, irrespective of their permission level, to enumerate all database connection details and credentials via web services utilizing the SOAP protocol. This flaw poses significant risks as sensitive information can be easily exposed, enabling unauthorized access to backend systems.

References

https://www.hitachi.com/hirt/security/index.html

x_refsource_MISC

http://packetstormsecurity.com/files/164779/Pentaho-Busin...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2021
Vulnerability Reserved
Apr 23, 2021