Packet Storm

what you don't know can hurt you

Register | Login

Home Files News &[SERVICES_TAB]About Contact Add New

Pentaho Business Analytics / Pentaho Business Server 9.1 SQL Injection: Posted Nov 5, 2021; Authored by Altion Malka, Alberto Favero; Pentaho allows users to create and manage Data Sources. Users can select a Data Source when creating a Dashboard through the Pentaho User Console. When a Data Source is added, Pentaho makes a HTTP request to the dashboards editor (/pentaho/api/repos/dashboards/editor) in order to test the connection by executing a test SQL query. However, further examination revealed that by utilizing CVE-2021-31602, an authentication bypass of Spring APIs, it is possible for an unauthenticated user to execute arbitrary SQL queries on any Pentaho datasource and thus retrieve data from the related databases.; tags | exploit, web, arbitrary, sql injection; advisories | CVE-2021-31602, CVE-2021-34684; SHA-256 | aafd5de6352edfc97e93496f171ced94b49f52a6817c483a7aec6ee26649a0e9; Download | Favorite | View

Related Files

No related files

Top Authors In Last 30 Days

Red Hat 250 files
indoushka 150 files
Ubuntu 90 files
Gentoo 32 files
Debian 24 files
LiquidWorm 15 files
Apple 11 files
malvuln 8 files
Google Security Research 7 files
verylazytech 4 files

File Tags

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,143)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,538)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,026)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,918)
UNIX (9,469)
UnixWare (188)
Windows (6,784)
Other

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links: News by Month; News Tags; Files by Month; File Tags; File Directory

About Us: History & Purpose; Contact Information; Terms of Service; Privacy Statement; Copyright Information

Services: Security Services
Hosting By: Rokasec