CVE-2021-45447

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. The transmission of sensitive data in clear text allows unauthorized actors with access to the network to sniff and obtain sensitive information that can be later used to gain unauthorized access.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.pentaho.com/hc/en-us/articles/6744504393101	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hitachi:vantara_pentaho::::::::
	cpe:2.3:a:hitachi:vantara_pentaho::::::::

History

No history.

Information

Published : 2022-11-02 15:15

Updated : 2023-11-07 03:39

NVD link : CVE-2021-45447

Mitre link : CVE-2021-45447

CVE.ORG link : CVE-2021-45447

JSON object : View

Products Affected

hitachi

vantara_pentaho

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2021-45447", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security.vulnerabilities@hitachivantara.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 2.2}]}, "published": "2022-11-02T15:15:10.247", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/6744504393101", "tags": ["Vendor Advisory"], "source": "security.vulnerabilities@hitachivantara.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Secondary", "source": "security.vulnerabilities@hitachivantara.com", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.\u00a0\u00a0\n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n"}, {"lang": "es", "value": "Las versiones de Hitachi Vantara Pentaho Business Analytics Server anteriores a 9.3.0.0, 9.2.0.2 y 8.3.0.25 con la funci\u00f3n Data Lineage habilitada transmite las contrase\u00f1as de la base de datos en texto plano. La transmisi\u00f3n de datos confidenciales en texto plano permite a actores no autorizados con acceso a la red rastrear y obtener informaci\u00f3n confidencial que luego puede usarse para obtener acceso no autorizado."}], "lastModified": "2023-11-07T03:39:50.590", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB67F45F-D25C-4B85-8819-433D89F3EF1F", "versionEndExcluding": "8.3.0.25", "versionStartIncluding": "8.3.0.0"}, {"criteria": "cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "111F5389-BE1D-480F-8229-3EEDF8F6D82A", "versionEndExcluding": "9.2.0.2", "versionStartIncluding": "9.2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security.vulnerabilities@hitachivantara.com"}