Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/164791/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-SQL-Injection.html | Exploit Third Party Advisory VDB Entry |
https://www.hitachi.com/hirt/security/index.html | Vendor Advisory |
Configurations
History
09 Nov 2021, 21:36
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CWE | CWE-89 | |
CPE | cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:* | |
References | (MISC) https://www.hitachi.com/hirt/security/index.html - Vendor Advisory | |
References | (MISC) http://packetstormsecurity.com/files/164791/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-SQL-Injection.html - Exploit, Third Party Advisory, VDB Entry |
08 Nov 2021, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-11-08 04:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-34684
Mitre link : CVE-2021-34684
CVE.ORG link : CVE-2021-34684
JSON object : View
Products Affected
hitachi
- vantara_pentaho
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')