Details of VAR-202111-0079

ID

VAR-202111-0079

CVE

CVE-2021-34685

TITLE

Hitachi Vantara Pentaho Business Analytic Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014776

DESCRIPTION

UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution). Hitachi Vantara Pentaho Business Analytic Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2021-34685 // JVNDB: JVNDB-2021-014776

AFFECTED PRODUCTS

vendor:	hitachi	model:	vantara pentaho	scope:	lte	version:	9.1.0.0	Trust: 1.0
vendor:	日立	model:	vantara pentaho	scope:	eq	version:	-	Trust: 0.8
vendor:	日立	model:	vantara pentaho	scope:	eq	version:	9.1 to	Trust: 0.8

sources: JVNDB: JVNDB-2021-014776 // NVD: CVE-2021-34685

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-34685
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2021-34685
value:	LOW
Trust: 1.0
NVD:	CVE-2021-34685
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202111-522
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-34685
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2021-34685
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2021-34685
baseSeverity:	LOW
baseScore:	2.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-34685
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-014776 // CNNVD: CNNVD-202111-522 // NVD: CVE-2021-34685 // NVD: CVE-2021-34685

PROBLEMTYPE DATA

problemtype:	CWE-434	Trust: 1.0
problemtype:	Unlimited uploads of dangerous types of files (CWE-434) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014776 // NVD: CVE-2021-34685

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-522

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202111-522

PATCH

title:

Security Information

url:

https://www.hitachi.com/hirt/security/index.html

Trust: 0.8

sources: JVNDB: JVNDB-2021-014776

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34685	Trust: 3.2
db:	PACKETSTORM	id:	164775	Trust: 2.4
db:	JVNDB	id:	JVNDB-2021-014776	Trust: 0.8
db:	CNNVD	id:	CNNVD-202111-522	Trust: 0.6

sources: JVNDB: JVNDB-2021-014776 // CNNVD: CNNVD-202111-522 // NVD: CVE-2021-34685

REFERENCES

url:	http://packetstormsecurity.com/files/164775/pentaho-business-analytics-pentaho-business-server-9.1-filename-bypass.html	Trust: 3.0
url:	https://www.hitachi.com/hirt/security/index.html	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-34685	Trust: 1.4

sources: JVNDB: JVNDB-2021-014776 // CNNVD: CNNVD-202111-522 // NVD: CVE-2021-34685

SOURCES

db:	JVNDB	id:	JVNDB-2021-014776
db:	CNNVD	id:	CNNVD-202111-522
db:	NVD	id:	CVE-2021-34685

LAST UPDATE DATE

2024-08-14T14:11:12.227000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2021-014776	date:	2022-10-27T07:09:00
db:	CNNVD	id:	CNNVD-202111-522	date:	2021-11-16T00:00:00
db:	NVD	id:	CVE-2021-34685	date:	2021-11-09T21:52:39.497

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2021-014776	date:	2022-10-27T00:00:00
db:	CNNVD	id:	CNNVD-202111-522	date:	2021-11-05T00:00:00
db:	NVD	id:	CVE-2021-34685	date:	2021-11-08T04:15:08.377