CVE-2021-45446: CWE-548 in Hitachi Vantara Pentaho Business Analytics Server
A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory.
AI Analysis
Technical Summary
CVE-2021-45446 is a medium-severity vulnerability (CVSS 5.0) affecting Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.2.0.2 and 8.3.0.25. The root cause is a failure in the server's handling of the 'hidden' property within the Home folder directory structure. Specifically, the vulnerability arises because the hidden attribute is not cascaded to child directories and resources inside the Home folder. This results in the server inadvertently exposing a complete directory listing of all resources contained within the Home folder. An attacker with at least low-level privileges (PR:L) and network access (AV:N) can remotely access this directory listing without requiring user interaction (UI:N). The vulnerability impacts confidentiality by revealing the structure and contents of directories that are intended to be hidden, potentially exposing sensitive files or configuration data. However, it does not affect integrity or availability, as the vulnerability does not allow modification or disruption of services. The scope is considered changed (S:C) because the vulnerability affects resources beyond the initially intended scope of the hidden property. The weakness corresponds to CWE-548, which relates to exposure of information through directory listings. No known exploits are currently reported in the wild, and no official patches or mitigation links were provided at the time of publication. The vulnerability is specific to the Pentaho Business Analytics Server, a business intelligence platform used for data integration, analytics, and reporting, which is often deployed in enterprise environments for decision support and data visualization.
Potential Impact
For European organizations, the exposure of directory listings in Pentaho Business Analytics Server can lead to unauthorized disclosure of sensitive information such as configuration files, data sources, or internal resource structures. This information leakage can aid attackers in reconnaissance activities, facilitating further targeted attacks such as privilege escalation, data exfiltration, or exploitation of other vulnerabilities. Organizations relying on Pentaho for critical business analytics and reporting may face increased risk of data exposure, potentially impacting compliance with data protection regulations like GDPR. While the vulnerability does not directly allow data modification or service disruption, the confidentiality breach can undermine trust and lead to indirect operational impacts. Industries with high reliance on business intelligence platforms, such as finance, manufacturing, and public sector entities, may be particularly affected. The medium severity rating suggests that while the threat is not immediately critical, it warrants timely attention to prevent escalation or chaining with other vulnerabilities.
Mitigation Recommendations
1. Upgrade Pentaho Business Analytics Server to versions 9.2.0.2 or 8.3.0.25 or later, where the vulnerability has been addressed. 2. If immediate upgrade is not feasible, implement access controls at the web server or network level to restrict access to the Home folder directory listings only to authorized users or IP ranges. 3. Review and harden file system permissions to ensure sensitive directories and files are not accessible to unauthorized users. 4. Employ web application firewalls (WAF) with rules to detect and block attempts to access directory listings or unauthorized resource enumeration. 5. Conduct regular security audits and penetration tests focusing on directory traversal and information disclosure vulnerabilities within the analytics environment. 6. Monitor logs for unusual access patterns to the Home folder or directory listing endpoints to detect potential reconnaissance activity. 7. Educate administrators on the importance of properly configuring hidden properties and directory permissions within the Pentaho environment to prevent similar misconfigurations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2021-45446: CWE-548 in Hitachi Vantara Pentaho Business Analytics Server
Description
A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory.
AI-Powered Analysis
Technical Analysis
CVE-2021-45446 is a medium-severity vulnerability (CVSS 5.0) affecting Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.2.0.2 and 8.3.0.25. The root cause is a failure in the server's handling of the 'hidden' property within the Home folder directory structure. Specifically, the vulnerability arises because the hidden attribute is not cascaded to child directories and resources inside the Home folder. This results in the server inadvertently exposing a complete directory listing of all resources contained within the Home folder. An attacker with at least low-level privileges (PR:L) and network access (AV:N) can remotely access this directory listing without requiring user interaction (UI:N). The vulnerability impacts confidentiality by revealing the structure and contents of directories that are intended to be hidden, potentially exposing sensitive files or configuration data. However, it does not affect integrity or availability, as the vulnerability does not allow modification or disruption of services. The scope is considered changed (S:C) because the vulnerability affects resources beyond the initially intended scope of the hidden property. The weakness corresponds to CWE-548, which relates to exposure of information through directory listings. No known exploits are currently reported in the wild, and no official patches or mitigation links were provided at the time of publication. The vulnerability is specific to the Pentaho Business Analytics Server, a business intelligence platform used for data integration, analytics, and reporting, which is often deployed in enterprise environments for decision support and data visualization.
Potential Impact
For European organizations, the exposure of directory listings in Pentaho Business Analytics Server can lead to unauthorized disclosure of sensitive information such as configuration files, data sources, or internal resource structures. This information leakage can aid attackers in reconnaissance activities, facilitating further targeted attacks such as privilege escalation, data exfiltration, or exploitation of other vulnerabilities. Organizations relying on Pentaho for critical business analytics and reporting may face increased risk of data exposure, potentially impacting compliance with data protection regulations like GDPR. While the vulnerability does not directly allow data modification or service disruption, the confidentiality breach can undermine trust and lead to indirect operational impacts. Industries with high reliance on business intelligence platforms, such as finance, manufacturing, and public sector entities, may be particularly affected. The medium severity rating suggests that while the threat is not immediately critical, it warrants timely attention to prevent escalation or chaining with other vulnerabilities.
Mitigation Recommendations
1. Upgrade Pentaho Business Analytics Server to versions 9.2.0.2 or 8.3.0.25 or later, where the vulnerability has been addressed. 2. If immediate upgrade is not feasible, implement access controls at the web server or network level to restrict access to the Home folder directory listings only to authorized users or IP ranges. 3. Review and harden file system permissions to ensure sensitive directories and files are not accessible to unauthorized users. 4. Employ web application firewalls (WAF) with rules to detect and block attempts to access directory listings or unauthorized resource enumeration. 5. Conduct regular security audits and penetration tests focusing on directory traversal and information disclosure vulnerabilities within the analytics environment. 6. Monitor logs for unusual access patterns to the Home folder or directory listing endpoints to detect potential reconnaissance activity. 7. Educate administrators on the importance of properly configuring hidden properties and directory permissions within the Pentaho environment to prevent similar misconfigurations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- HITVAN
- Date Reserved
- 2021-12-21T05:57:40.703Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbebf20
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 6/26/2025, 1:27:36 AM
Last updated: 8/12/2025, 3:36:34 PM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.