CVE-2021-31602

MEDIUM EXPLOITED NUCLEI

Hitachi Vantara Pentaho < 9.1.0.0 - Authentication Bypass

Title source: rule

Description

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

Nuclei Templates (1)

Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass

HIGHby pussycat0x

Shodan: Pentaho || pentaho

References (2)

[Vendor Advisory] https://www.hitachi.com/hirt/security/index.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/164784/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Authentication-Bypass.html

Scores

CVSS v3 5.3

EPSS 0.9277

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2023-05-02

CWE

CWE-287

Status published

Products (2)

hitachi/vantara_pentaho < 9.1.0.0

hitachi/vantara_pentaho_business_intelligence_server < 7.1

Published Nov 08, 2021

Tracked Since Feb 18, 2026