cbcvebase.
CVE-2021-31602
published 2021-11-08

CVE-2021-31602: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.65%
98.8th percentile
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

Affected

2 ranges
VendorProductVersion rangeFixed in
hitachivantara_pentaho<= 9.1.0.0
hitachivantara_pentaho_business_intelligence_server<= 7.1

Detection & IOCsextracted from sources · hover to see the quote

url/pentaho/api/userrolelist/systemRoles?require-cfg.js
url/api/userrolelist/systemRoles?require-cfg.js
  • Unauthenticated GET request to /pentaho/api/userrolelist/systemRoles or /api/userrolelist/systemRoles returning HTTP 200 with body containing both '' and 'Anonymous' strings indicates successful authentication bypass exploitation.
  • The vulnerability resides in the applicationContext-spring-security.xml default configuration; monitor for unauthenticated access to the userrolelist API endpoint on Pentaho BI Server instances.
  • Shodan queries 'Pentaho' and 'pentaho' can be used to identify internet-exposed Pentaho BI Server instances potentially vulnerable to CVE-2021-31602.
  • ·The authentication bypass only applies to the default configuration of applicationContext-spring-security.xml; hardened or custom configurations may not be vulnerable.
  • ·The nuclei template uses stop-at-first-match, meaning only one of the two probe URLs will be tested per scan run; both paths should be checked independently for full coverage.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.