Hitachi Vantara Pentaho/Business Intelligence Server - Authentication Bypass (CVE-2021-31602)

Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x are vulnerable to authentication bypass. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.

日立万拓的 Pentaho 9.1 及 Pentaho 商业智能服务器 7.x 版本均存在身份验证绕过漏洞。安全模型包含多个访问控制层级。其中之一为 applicationContext 安全层，该层在 applicationContext-spring-security.xml 文件中定义。默认配置允许未经身份验证的用户，即使对该平台设置毫无先验知识，也能在不具备有效凭证的情况下提取部分信息。