CVE-2021-31602

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file...

CVE-2021-34685

UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code e...

CVE-2021-45446

A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources locatedinside the directory.

CVE-2021-31601

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all ...

CVE-2021-45447

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. The transmission of sensitive data in clear text allows unauthorized actors with access to thenetwork to sniff and obtain ...

CVE-2021-45448

Pentaho Business AnalyticsServer versions before 9.2.0.2 and 8.3.0.25 using the PentahoAnalyzer plugin exposes a service endpoint for templates which allows auser-supplied path to access resources that are out of bounds. The software uses external input to construct a pathname that is intended to i...