Home / exploitsPDF  

Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration

Posted on 05 November 2021

Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.

 

TOP

Malware :