Details of VAR-202111-0081

ID

VAR-202111-0081

CVE

CVE-2021-31602

TITLE

Hitachi Vantara Pentaho and Pentaho Business Intelligence Server Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014681

DESCRIPTION

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials

Trust: 1.71

sources: NVD: CVE-2021-31602 // JVNDB: JVNDB-2021-014681 // VULMON: CVE-2021-31602

AFFECTED PRODUCTS

vendor:	hitachi	model:	vantara pentaho	scope:	lte	version:	9.1.0.0	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho business intelligence server	scope:	lte	version:	7.1	Trust: 1.0
vendor:	日立	model:	vantara pentaho business intelligence server	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	vantara pentaho	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-014681 // NVD: CVE-2021-31602

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-31602
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2021-31602
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-31602
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202111-550
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-31602
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-31602
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2021-31602
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2021-31602
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-31602
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-31602 // JVNDB: JVNDB-2021-014681 // CNNVD: CNNVD-202111-550 // NVD: CVE-2021-31602 // NVD: CVE-2021-31602

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.0
problemtype:	Inappropriate authentication (CWE-287) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014681 // NVD: CVE-2021-31602

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-550

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202111-550

PATCH

title:	Security Information	url:	https://www.hitachi.com/hirt/security/index.html	Trust: 0.8
title:	-	url:	https://github.com/20142995/Goby	Trust: 0.1

sources: VULMON: CVE-2021-31602 // JVNDB: JVNDB-2021-014681

EXTERNAL IDS

db:	NVD	id:	CVE-2021-31602	Trust: 3.3
db:	PACKETSTORM	id:	164784	Trust: 2.5
db:	JVNDB	id:	JVNDB-2021-014681	Trust: 0.8
db:	CNNVD	id:	CNNVD-202111-550	Trust: 0.6
db:	VULMON	id:	CVE-2021-31602	Trust: 0.1

sources: VULMON: CVE-2021-31602 // JVNDB: JVNDB-2021-014681 // CNNVD: CNNVD-202111-550 // NVD: CVE-2021-31602

REFERENCES

url:	http://packetstormsecurity.com/files/164784/pentaho-business-analytics-pentaho-business-server-9.1-authentication-bypass.html	Trust: 3.2
url:	https://www.hitachi.com/hirt/security/index.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31602	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-31602 // JVNDB: JVNDB-2021-014681 // CNNVD: CNNVD-202111-550 // NVD: CVE-2021-31602

SOURCES

db:	VULMON	id:	CVE-2021-31602
db:	JVNDB	id:	JVNDB-2021-014681
db:	CNNVD	id:	CNNVD-202111-550
db:	NVD	id:	CVE-2021-31602

LAST UPDATE DATE

2024-08-14T15:17:00.708000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-31602	date:	2022-07-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-014681	date:	2022-10-24T03:17:00
db:	CNNVD	id:	CNNVD-202111-550	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-31602	date:	2022-07-12T17:42:04.277

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-31602	date:	2021-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-014681	date:	2022-10-24T00:00:00
db:	CNNVD	id:	CNNVD-202111-550	date:	2021-11-05T00:00:00
db:	NVD	id:	CVE-2021-31602	date:	2021-11-08T04:15:08.267