CVE-2021-34684

Name of the Vulnerable Software and Affected Versions: Hitachi Vantara Pentaho Business Analytics versions through 9.1

Description: The issue allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source, thus enabling the retrieval of data from related databases. This is demonstrated by the "api/repos/dashboards/editor" URI, which is an API endpoint. The api/repos/dashboards/editor endpoint is vulnerable to this issue, allowing unauthorized access to sensitive data.

Recommendations: For Hitachi Vantara Pentaho Business Analytics versions through 9.1, consider restricting access to the api/repos/dashboards/editor API endpoint until a patch is available. As a temporary workaround, limit the execution of arbitrary SQL queries on Pentaho data sources to prevent unauthorized data retrieval.