Description

Acunetix determined that it was possible to access Pentaho API without authentication with a specially crafted HTTP request.

Remediation

Upgrade to the latest version of Pentaho

References

Pentaho Authentication Bypass

Related Vulnerabilities

WordPress default administrator account

Insecure Transportation Security Protocol Supported (TLS 1.0)

Apache Spark Web UI Unauthorized Access Vulnerability

MovableType remote code execution

ASP.NET potential HTTP Verb Tampering

Severity

High

Classification

CVE-2021-31602 CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration