Last Update: November 10, 2021
Multiple vulnerabilities have been found in Hitachi Vantara Pentaho Business Analytics Server.
CVE-2021-31599: Remote Code Execution through Pentaho Report Bundles
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code on the host.
CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C [9.0]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8]
CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CVE-2021-34684: Unauthenticated SQL Injection
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. It allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8]
CWE-89: SQL Injection
CVE-2021-31601: Insufficient Access Control of Data Source Management
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials in clear text.
CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:P/A:N [7.5]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N [7.1]
CWE-319: Cleartext Transmission of Sensitive Information
CVE-2021-31602: Authentication Bypass of Spring APIs
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.0, 9.1.0.8 and 8.3.0.23. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N [5.0]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3]
CWE-285: Improper Authorization
Jackrabbit User Enumeration
CVE-2021-31600 describes to be an issue in Hitachi Vantara Pentaho Business Analytics Server. This is a feature of products, and not a vulnerability.
Hitachi Vantara Pentaho Business Analytics Server implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user can list all valid usernames. This is fundamental permissions service to allow a particular authenticated user access content generated by another authenticated user. The focus here should be authenticated user. It does not provide the information to any user. This is a feature within Pentaho product and the customer do take advantage of this feature.
CVE-2021-34685: Bypass of Filename Extension Restrictions
An issue was discovered in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.2.0.2 and 8.3.0.25. UploadService does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).
CVE-2021-31599, CVE-2021-34684, CVE-2021-31601 and CVE-2021-31602
CVE-2021-34685
These vulnerabilities allow a remote users to execute arbitrary code or to expose the credentials.
Users and administrators are encouraged to upgrade to fixed version.
Masato Terada (HIRT) and Naoko Ohnishi (HIRT)