Lucene search

[email protected]NVD:CVE-2021-31602

HistoryNov 08, 2021 - 4:15 a.m.

CVE-2021-31602

2021-11-0804:15:08

CWE-287

[email protected]

web.nvd.nist.gov

hitachi vantara

pentaho

access control

security model

unauthenticated user

applicationcontext security

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.174

Percentile

96.2%

JSON

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

Affected configurations

Nvd

Node

hitachivantara_pentahoRange≤9.1.0.0

hitachivantara_pentaho_business_intelligence_serverRange≤7.1

VendorProductVersionCPE
hitachivantara_pentaho*cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*
hitachivantara_pentaho_business_intelligence_server*cpe:2.3:a:hitachi:vantara_pentaho_business_intelligence_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
hitachi	vantara_pentaho	*	cpe:2.3:a:hitachi:vantara_pentaho::::::::
hitachi	vantara_pentaho_business_intelligence_server	*	cpe:2.3:a:hitachi:vantara_pentaho_business_intelligence_server::::::::