CVE-2021-31602
Last modified
CVE-2021-31602 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. EPSS estimates a 51.65% chance of exploitation in the next 30 days.
Description
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Hitachi | Vantara Pentaho | <= 9.1.0.0 |
| Hitachi | Vantara Pentaho Business Intelligence Server | <= 7.1 |
References
- http://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.htmlExploit, Third Party Advisory, VDB Entry
- https://www.hitachi.com/hirt/security/index.htmlVendor Advisory
- http://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.htmlExploit, Third Party Advisory, VDB Entry
- https://www.hitachi.com/hirt/security/index.htmlVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-31602?
How severe is CVE-2021-31602?
How do I fix CVE-2021-31602?
Are you affected by CVE-2021-31602?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST