CVE-2021-45446 is a medium-severity vulnerability (CVSS 5.0) affecting Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.2.0.2 and 8.3.0.25. The root cause is a failure in the server's handling of the 'hidden' property within the Home folder directory structure. Specifically, the vulnerability arises because the hidden attribute is not cascaded to child directories and resources inside the Home folder. This results in the server inadvertently exposing a complete directory listing of all resources contained within the Home folder. An attacker with at least low-level privileges (PR:L) and network access (AV:N) can remotely access this directory listing without requiring user interaction (UI:N). The vulnerability impacts confidentiality by revealing the structure and contents of directories that are intended to be hidden, potentially exposing sensitive files or configuration data. However, it does not affect integrity or availability, as the vulnerability does not allow modification or disruption of services. The scope is considered changed (S:C) because the vulnerability affects resources beyond the initially intended scope of the hidden property. The weakness corresponds to CWE-548, which relates to exposure of information through directory listings. No known exploits are currently reported in the wild, and no official patches or mitigation links were provided at the time of publication. The vulnerability is specific to the Pentaho Business Analytics Server, a business intelligence platform used for data integration, analytics, and reporting, which is often deployed in enterprise environments for decision support and data visualization.

For European organizations, the exposure of directory listings in Pentaho Business Analytics Server can lead to unauthorized disclosure of sensitive information such as configuration files, data sources, or internal resource structures. This information leakage can aid attackers in reconnaissance activities, facilitating further targeted attacks such as privilege escalation, data exfiltration, or exploitation of other vulnerabilities. Organizations relying on Pentaho for critical business analytics and reporting may face increased risk of data exposure, potentially impacting compliance with data protection regulations like GDPR. While the vulnerability does not directly allow data modification or service disruption, the confidentiality breach can undermine trust and lead to indirect operational impacts. Industries with high reliance on business intelligence platforms, such as finance, manufacturing, and public sector entities, may be particularly affected. The medium severity rating suggests that while the threat is not immediately critical, it warrants timely attention to prevent escalation or chaining with other vulnerabilities.

1. Upgrade Pentaho Business Analytics Server to versions 9.2.0.2 or 8.3.0.25 or later, where the vulnerability has been addressed. 2. If immediate upgrade is not feasible, implement access controls at the web server or network level to restrict access to the Home folder directory listings only to authorized users or IP ranges. 3. Review and harden file system permissions to ensure sensitive directories and files are not accessible to unauthorized users. 4. Employ web application firewalls (WAF) with rules to detect and block attempts to access directory listings or unauthorized resource enumeration. 5. Conduct regular security audits and penetration tests focusing on directory traversal and information disclosure vulnerabilities within the analytics environment. 6. Monitor logs for unusual access patterns to the Home folder or directory listing endpoints to detect potential reconnaissance activity. 7. Educate administrators on the importance of properly configuring hidden properties and directory permissions within the Pentaho environment to prevent similar misconfigurations.