PT-2021-19440 · Hitachi Vantara · Pentaho Business Intelligence Server+1
Published
2021-11-08
·
Updated
2021-11-09
·
CVE-2021-31600
CVSS v3.1
4.3
Medium
| Vector | AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N |
Name of the Vulnerable Software and Affected Versions
Hitachi Vantara Pentaho versions through 9.1
Pentaho Business Intelligence Server versions through 7.x
Description
An issue was discovered in the implementation of web services using the SOAP protocol, allowing scripting interaction with the backend server. An authenticated user, regardless of privileges, can list all valid usernames.
Recommendations
For Hitachi Vantara Pentaho versions through 9.1, consider restricting access to the SOAP web services until a patch is available.
For Pentaho Business Intelligence Server versions through 7.x, restrict access to the SOAP web services to minimize the risk of exploitation.
As a temporary workaround, consider disabling the scripting interaction with the backend server until a patch is available.
Exploit
Fix
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hitachi Vantara Pentaho
Pentaho Business Intelligence Server