Details of VAR-202211-0122

ID

VAR-202211-0122

CVE

CVE-2021-45448

TITLE

Hitachi Vantara's Vantara Pentaho Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-020580

DESCRIPTION

Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. Hitachi Vantara's Vantara Pentaho Exists in a past traversal vulnerability.Information may be obtained

Trust: 1.62

sources: NVD: CVE-2021-45448 // JVNDB: JVNDB-2021-020580

AFFECTED PRODUCTS

vendor:	hitachi	model:	vantara pentaho	scope:	lt	version:	8.3.0.25	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho	scope:	gte	version:	9.2.0.0	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho	scope:	lt	version:	9.2.0.2	Trust: 1.0
vendor:	hitachi	model:	vantara pentaho	scope:	gte	version:	8.3.0.0	Trust: 1.0
vendor:	日立ヴァンタラ	model:	vantara pentaho	scope:	eq	version:	9.2.0.0 that's all 9.2.0.2	Trust: 0.8
vendor:	日立ヴァンタラ	model:	vantara pentaho	scope:	eq	version:	-	Trust: 0.8
vendor:	日立ヴァンタラ	model:	vantara pentaho	scope:	eq	version:	8.3.0.0 that's all 8.3.0.25	Trust: 0.8

sources: JVNDB: JVNDB-2021-020580 // NVD: CVE-2021-45448

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-45448
value:	MEDIUM
Trust: 1.0
security.vulnerabilities@hitachivantara.com:	CVE-2021-45448
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-45448
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202211-1965
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-45448
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
security.vulnerabilities@hitachivantara.com:	CVE-2021-45448
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-45448
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-020580 // CNNVD: CNNVD-202211-1965 // NVD: CVE-2021-45448 // NVD: CVE-2021-45448

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-020580 // NVD: CVE-2021-45448

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-1965

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202211-1965

PATCH

title:	IMPORTANT	url:	https://support.pentaho.com/hc/en-us/articles/6744743458701	Trust: 0.8
title:	Hitachi Pentaho Business Analytics Repair measures for path traversal vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=213151	Trust: 0.6

sources: JVNDB: JVNDB-2021-020580 // CNNVD: CNNVD-202211-1965

EXTERNAL IDS

db:	NVD	id:	CVE-2021-45448	Trust: 3.2
db:	JVNDB	id:	JVNDB-2021-020580	Trust: 0.8
db:	CNNVD	id:	CNNVD-202211-1965	Trust: 0.6

sources: JVNDB: JVNDB-2021-020580 // CNNVD: CNNVD-202211-1965 // NVD: CVE-2021-45448

REFERENCES

url:	https://support.pentaho.com/hc/en-us/articles/6744743458701	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-45448	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2021-45448/	Trust: 0.6

sources: JVNDB: JVNDB-2021-020580 // CNNVD: CNNVD-202211-1965 // NVD: CVE-2021-45448

SOURCES

db:	JVNDB	id:	JVNDB-2021-020580
db:	CNNVD	id:	CNNVD-202211-1965
db:	NVD	id:	CVE-2021-45448

LAST UPDATE DATE

2024-08-14T14:02:14.647000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2021-020580	date:	2023-11-22T00:46:00
db:	CNNVD	id:	CNNVD-202211-1965	date:	2022-11-07T00:00:00
db:	NVD	id:	CVE-2021-45448	date:	2023-11-07T03:39:50.680

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2021-020580	date:	2023-11-22T00:00:00
db:	CNNVD	id:	CNNVD-202211-1965	date:	2022-11-02T00:00:00
db:	NVD	id:	CVE-2021-45448	date:	2022-11-02T16:15:09.897