Home / exploits Pentaho Business Analytics / Pentaho Business Server 9.1 Insufficient Access Control
Posted on 05 November 2021
Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. While most of the interfaces correctly implement ACL, the Data Source Management Service located at /pentaho/webservices/datasourceMgmtService allows low-privilege authenticated users to list the connection details of all data sources used by Pentaho.