CVE-2021-31602

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho versions through 9.1 Pentaho Business Intelligence Server versions through 7.x

Description An issue was discovered in the Security Model of the affected software, which has different layers of Access Control. One of these layers is the applicationContext security, defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

Recommendations For Hitachi Vantara Pentaho versions through 9.1, update the configuration of the applicationContext-spring-security.xml file to restrict access and require valid credentials for extracting information. For Pentaho Business Intelligence Server versions through 7.x, update the configuration of the applicationContext-spring-security.xml file to restrict access and require valid credentials for extracting information. As a temporary workaround, consider restricting access to the applicationContext security layer until a more permanent solution is implemented.