CVE-2021-31602
published 2021-11-08CVE-2021-31602: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.65%
98.8th percentile
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hitachi | vantara_pentaho | <= 9.1.0.0 | — |
| hitachi | vantara_pentaho_business_intelligence_server | <= 7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /pentaho/api/userrolelist/systemRoles or /api/userrolelist/systemRoles returning HTTP 200 with body containing both '' and 'Anonymous' strings indicates successful authentication bypass exploitation. ↗
- →The vulnerability resides in the applicationContext-spring-security.xml default configuration; monitor for unauthenticated access to the userrolelist API endpoint on Pentaho BI Server instances. ↗
- →Shodan queries 'Pentaho' and 'pentaho' can be used to identify internet-exposed Pentaho BI Server instances potentially vulnerable to CVE-2021-31602. ↗
- ·The authentication bypass only applies to the default configuration of applicationContext-spring-security.xml; hardened or custom configurations may not be vulnerable. ↗
- ·The nuclei template uses stop-at-first-match, meaning only one of the two probe URLs will be tested per scan run; both paths should be checked independently for full coverage. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h47p-j8f8-w9wx: An issue was discovered in Hitachi Vantara Pentaho through 9
ghsa_unreviewed·2022-05-24
CVE-2021-31602 [HIGH] CWE-863 GHSA-h47p-j8f8-w9wx: An issue was discovered in Hitachi Vantara Pentaho through 9
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
VulnCheck
hitachi vantara_pentaho Improper Authentication
vulncheck·2021·CVSS 5.3
CVE-2021-31602 [MEDIUM] hitachi vantara_pentaho Improper Authentication
hitachi vantara_pentaho Improper Authentication
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
Affected: hitachi vantara_pentaho
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-security
No detection rules found.
Nuclei
Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass
nuclei·CVSS 7.5
CVE-2021-31602 [HIGH] Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass
Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass
Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x are vulnerable to authentication bypass. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.
Template:
id: CVE-2021-31602
info:
name: Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass
author: pussycat0x
severity: high
description: Hitachi Vantara Pentaho through 9.1 and Pentaho Business Int
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02
Network Security Trends: November 2022-January 2023
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
- Roxy-WI, a web interface for managing and monitoring RoxyDNS
- CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
- Cacti, an open-source network monitoring and graphing tool used to track the performance of various network devices, servers and applications
Additionally, attackers have also been taking advantage of a traversal and information disclosure vulnerability in ThoughtWorks GoCD to read sensitive files stored on servers.
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based o
http://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.htmlhttps://www.hitachi.com/hirt/security/index.htmlhttp://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.htmlhttps://www.hitachi.com/hirt/security/index.html
2021-11-08
Published
Exploited in the wild