CVE-2021-45446

A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.pentaho.com/hc/en-us/articles/6744813983501	Vendor Advisory
https://support.pentaho.com/hc/en-us/articles/6744813983501	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hitachi:vantara_pentaho::::::::
	cpe:2.3:a:hitachi:vantara_pentaho::::::::

History

21 Nov 2024, 06:32

Type	Values Removed	Values Added
References	~~() https://support.pentaho.com/hc/en-us/articles/6744813983501 - Vendor Advisory~~	() https://support.pentaho.com/hc/en-us/articles/6744813983501 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 5.0

21 Jul 2023, 16:52

Type	Values Removed	Values Added
CWE	~~CWE-668~~	CWE-281

04 Nov 2022, 13:48

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://support.pentaho.com/hc/en-us/articles/6744813983501 -~~	(MISC) https://support.pentaho.com/hc/en-us/articles/6744813983501 - Vendor Advisory
CPE		cpe:2.3:a:hitachi:vantara_pentaho::::::::
CWE		CWE-668

02 Nov 2022, 15:51

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-02 15:15

Updated : 2024-11-21 06:32

NVD link : CVE-2021-45446

Mitre link : CVE-2021-45446

CVE.ORG link : CVE-2021-45446

JSON object : View

Products Affected

hitachi

vantara_pentaho

CWE

CWE-548

Exposure of Information Through Directory Listing

CWE-281

Improper Preservation of Permissions

{"id": "CVE-2021-45446", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security.vulnerabilities@hitachivantara.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-11-02T15:15:09.683", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/6744813983501", "tags": ["Vendor Advisory"], "source": "security.vulnerabilities@hitachivantara.com"}, {"url": "https://support.pentaho.com/hc/en-us/articles/6744813983501", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security.vulnerabilities@hitachivantara.com", "description": [{"lang": "en", "value": "CWE-548"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-281"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in \n\nHitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and \n8.3.0.25 does not cascade the hidden property to the children of the Home folder.\u00a0 This directory listing provides an attacker with the complete index of all the resources located \ninside the directory. \n\n\n"}, {"lang": "es", "value": "Una vulnerabilidad en las versiones de Hitachi Vantara Pentaho Business Analytics Server anteriores a 9.2.0.2 y 8.3.0.25 no conecta en cascada la propiedad oculta a los elementos secundarios de la carpeta Inicio. Esta lista de directorio proporciona al atacante el \u00edndice completo de todos los recursos ubicados dentro del directorio."}], "lastModified": "2024-11-21T06:32:13.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB67F45F-D25C-4B85-8819-433D89F3EF1F", "versionEndExcluding": "8.3.0.25", "versionStartIncluding": "8.3.0.0"}, {"criteria": "cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "111F5389-BE1D-480F-8229-3EEDF8F6D82A", "versionEndExcluding": "9.2.0.2", "versionStartIncluding": "9.2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security.vulnerabilities@hitachivantara.com"}