Sign-up

ID

VAR-202111-0084


CVE

CVE-2021-31599


TITLE

Hitachi Vantara Pentaho  and  Pentaho Business Intelligence Server  Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014684

DESCRIPTION

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code. Hitachi Vantara Pentaho and Pentaho Business Intelligence Server Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2021-31599 // JVNDB: JVNDB-2021-014684

AFFECTED PRODUCTS

vendor:hitachimodel:vantara pentahoscope:lteversion:9.1.0.0

Trust: 1.0

vendor:hitachimodel:vantara pentaho business intelligence serverscope:lteversion:7.1

Trust: 1.0

vendor:日立model:vantara pentaho business intelligence serverscope: - version: -

Trust: 0.8

vendor:日立model:vantara pentahoscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-014684 // NVD: CVE-2021-31599

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-31599
value: HIGH

Trust: 1.0

cve@mitre.org: CVE-2021-31599
value: HIGH

Trust: 1.0

NVD: CVE-2021-31599
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202111-526
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2021-31599
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2021-31599
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-014684
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-014684 // CNNVD: CNNVD-202111-526 // NVD: CVE-2021-31599 // NVD: CVE-2021-31599

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.0

problemtype:Unlimited uploads of dangerous types of files (CWE-434) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-014684 // NVD: CVE-2021-31599

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-526

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202111-526

PATCH

title:Security Informationurl:https://www.hitachi.com/hirt/security/index.html

Trust: 0.8

title:Hitachi Vantara Pentaho Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=169319

Trust: 0.6

sources: JVNDB: JVNDB-2021-014684 // CNNVD: CNNVD-202111-526

EXTERNAL IDS

db:NVDid:CVE-2021-31599

Trust: 3.2

db:PACKETSTORMid:164772

Trust: 2.4

db:JVNDBid:JVNDB-2021-014684

Trust: 0.8

db:CNNVDid:CNNVD-202111-526

Trust: 0.6

sources: JVNDB: JVNDB-2021-014684 // CNNVD: CNNVD-202111-526 // NVD: CVE-2021-31599

REFERENCES

url:http://packetstormsecurity.com/files/164772/pentaho-business-analytics-pentaho-business-server-9.1-remote-code-execution.html

Trust: 3.0

url:https://www.hitachi.com/hirt/security/index.html

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-31599

Trust: 1.4

sources: JVNDB: JVNDB-2021-014684 // CNNVD: CNNVD-202111-526 // NVD: CVE-2021-31599

SOURCES

db:JVNDBid:JVNDB-2021-014684
db:CNNVDid:CNNVD-202111-526
db:NVDid:CVE-2021-31599

LAST UPDATE DATE

2024-08-14T14:25:08.541000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2021-014684date:2022-10-24T04:47:00
db:CNNVDid:CNNVD-202111-526date:2021-11-15T00:00:00
db:NVDid:CVE-2021-31599date:2021-11-09T21:20:33.097

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2021-014684date:2022-10-24T00:00:00
db:CNNVDid:CNNVD-202111-526date:2021-11-05T00:00:00
db:NVDid:CVE-2021-31599date:2021-11-08T04:15:08.107