Details of VAR-202111-0082

ID

VAR-202111-0082

CVE

CVE-2021-31601

TITLE

Hitachi Vantara Pentaho and Pentaho Business Intelligence Server Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014682

DESCRIPTION

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials

Trust: 1.71

sources: NVD: CVE-2021-31601 // JVNDB: JVNDB-2021-014682 // VULMON: CVE-2021-31601

AFFECTED PRODUCTS

vendor:	hitachi	model:	vantara pentaho	scope:	lte	version:	9.1.0.0	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho business intelligence server	scope:	lte	version:	7.1	Trust: 1.0
vendor:	日立	model:	vantara pentaho business intelligence server	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	vantara pentaho	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-014682 // NVD: CVE-2021-31601

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-31601
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2021-31601
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-31601
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202111-529
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-31601
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-31601
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2021-31601
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2021-31601
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-31601
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-31601 // JVNDB: JVNDB-2021-014682 // CNNVD: CNNVD-202111-529 // NVD: CVE-2021-31601 // NVD: CVE-2021-31601

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	others (CWE-Other) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014682 // NVD: CVE-2021-31601

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-529

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202111-529

PATCH

title:	Security Information	url:	https://www.hitachi.com/hirt/security/index.html	Trust: 0.8
title:	Hitachi Vantara Pentaho Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=169954	Trust: 0.6
title:	-	url:	https://github.com/20142995/Goby	Trust: 0.1

sources: VULMON: CVE-2021-31601 // JVNDB: JVNDB-2021-014682 // CNNVD: CNNVD-202111-529

EXTERNAL IDS

db:	NVD	id:	CVE-2021-31601	Trust: 3.3
db:	PACKETSTORM	id:	164779	Trust: 2.5
db:	JVNDB	id:	JVNDB-2021-014682	Trust: 0.8
db:	CNNVD	id:	CNNVD-202111-529	Trust: 0.6
db:	VULMON	id:	CVE-2021-31601	Trust: 0.1

sources: VULMON: CVE-2021-31601 // JVNDB: JVNDB-2021-014682 // CNNVD: CNNVD-202111-529 // NVD: CVE-2021-31601

REFERENCES

url:	http://packetstormsecurity.com/files/164779/pentaho-business-analytics-pentaho-business-server-9.1-insufficient-access-control.html	Trust: 3.2
url:	https://www.hitachi.com/hirt/security/index.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31601	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-31601 // JVNDB: JVNDB-2021-014682 // CNNVD: CNNVD-202111-529 // NVD: CVE-2021-31601

SOURCES

db:	VULMON	id:	CVE-2021-31601
db:	JVNDB	id:	JVNDB-2021-014682
db:	CNNVD	id:	CNNVD-202111-529
db:	NVD	id:	CVE-2021-31601

LAST UPDATE DATE

2024-08-14T15:37:51.945000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-31601	date:	2022-07-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-014682	date:	2022-10-24T03:26:00
db:	CNNVD	id:	CNNVD-202111-529	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-31601	date:	2022-07-12T17:42:04.277

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-31601	date:	2021-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-014682	date:	2022-10-24T00:00:00
db:	CNNVD	id:	CNNVD-202111-529	date:	2021-11-05T00:00:00
db:	NVD	id:	CVE-2021-31601	date:	2021-11-08T04:15:08.213