CVE-2021-31601

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho versions through 9.1 Pentaho Business Intelligence Server versions through 7.x

Description An issue was discovered in the implementation of web services using the SOAP protocol, allowing scripting interaction with the backend server. An authenticated user, regardless of privileges, can list all databases connection details and credentials.

Recommendations For Hitachi Vantara Pentaho versions through 9.1, consider restricting access to the SOAP web services until a fix is available. For Pentaho Business Intelligence Server versions through 7.x, restrict access to the backend server to minimize the risk of exploitation. As a temporary workaround, consider disabling the scripting interaction with the backend server until a patch is available.