PT-2021-19438 · Hitachi Vantara · Pentaho Business Intelligence Server+1
Published
2021-11-08
·
Updated
2021-11-09
·
CVE-2021-31599
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Hitachi Vantara Pentaho versions through 9.1
Pentaho Business Intelligence Server versions through 7.x
Description
An issue allows the inclusion of BeanShell scripts in reports (.prpt) files to ease the production of complex reports. An authenticated user can run arbitrary code.
Recommendations
For Hitachi Vantara Pentaho versions through 9.1, consider restricting the ability to include BeanShell scripts in reports to minimize the risk of exploitation.
For Pentaho Business Intelligence Server versions through 7.x, consider disabling the feature that allows the inclusion of BeanShell scripts in reports until a fix is available.
As a temporary workaround, consider limiting access to reports that include BeanShell scripts to only necessary personnel.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hitachi Vantara Pentaho
Pentaho Business Intelligence Server