CVE-2021-45447 - Vulnerability Details - OpenCVE

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. The transmission of sensitive data in clear text allows unauthorized actors with access to the network to sniff and obtain sensitive information that can be later used to gain unauthorized access.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Hitachi	Vantara Pentaho

Configuration 1 [-]

OR	cpe:2.3:a:hitachi:vantara_pentaho::::::::
	cpe:2.3:a:hitachi:vantara_pentaho::::::::

No data.

References

Link	Providers
https://support.pentaho.com/hc/en-us/articles/6744504393101

History

Fri, 02 May 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: HITVAN

Published: 2022-11-02T14:56:01.585Z

Updated: 2025-05-02T20:38:51.406Z

Reserved: 2021-12-21T05:57:40.703Z

Link: CVE-2021-45447

Vulnrichment

Updated: 2024-08-04T04:39:20.773Z

NVD

Status : Modified

Published: 2022-11-02T15:15:10.247

Modified: 2024-11-21T06:32:13.613

Link: CVE-2021-45447

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-45447", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "state": "PUBLISHED", "assignerShortName": "HITVAN", "requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f", "dateReserved": "2021-12-21T05:57:40.703Z", "datePublished": "2022-11-02T14:56:01.585Z", "dateUpdated": "2025-05-02T20:38:51.406Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pentaho Business Analytics Server", "vendor": "Hitachi Vantara", "versions": [{"lessThan": "9.2.0.2", "status": "affected", "version": "9.0.0.0", "versionType": "All"}, {"lessThan": "8.3.0.25", "status": "affected", "version": "1.0", "versionType": "All"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.  \n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n"}], "value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.\u00a0\u00a0\n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2022-11-02T14:56:03.090Z"}, "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/6744504393101"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nThe defect may be mitigated now by disabling the Data Lineage feature or updating to a patched version<br>"}], "value": "\nThe defect may be mitigated now by disabling the Data Lineage feature or updating to a patched version\n"}], "source": {"discovery": "UNKNOWN"}, "title": " Pentaho Business Analytics Server - With the Data Lineage feature enabled, the system transmits database passwords in clear text", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.773Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/6744504393101", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T20:38:38.823127Z", "id": "CVE-2021-45447", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T20:38:51.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/6744504393101", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.773Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-45447", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-02T20:38:38.823127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T20:38:42.389Z"}}], "cna": {"title": " Pentaho Business Analytics Server - With the Data Lineage feature enabled, the system transmits database passwords in clear text", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hitachi Vantara", "product": "Pentaho Business Analytics Server", "versions": [{"status": "affected", "version": "9.0.0.0", "lessThan": "9.2.0.2", "versionType": "All"}, {"status": "affected", "version": "1.0", "lessThan": "8.3.0.25", "versionType": "All"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nThe defect may be mitigated now by disabling the Data Lineage feature or updating to a patched version\n", "supportingMedia": [{"type": "text/html", "value": "\n\nThe defect may be mitigated now by disabling the Data Lineage feature or updating to a patched version<br>", "base64": false}]}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/6744504393101"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.\u00a0\u00a0\n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.  \n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2022-11-02T14:56:03.090Z"}}}, "cveMetadata": {"cveId": "CVE-2021-45447", "state": "PUBLISHED", "dateUpdated": "2025-05-02T20:38:51.406Z", "dateReserved": "2021-12-21T05:57:40.703Z", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "datePublished": "2022-11-02T14:56:01.585Z", "requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f", "assignerShortName": "HITVAN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB67F45F-D25C-4B85-8819-433D89F3EF1F", "versionEndExcluding": "8.3.0.25", "versionStartIncluding": "8.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*", "matchCriteriaId": "111F5389-BE1D-480F-8229-3EEDF8F6D82A", "versionEndExcluding": "9.2.0.2", "versionStartIncluding": "9.2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.\u00a0\u00a0\n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n"}, {"lang": "es", "value": "Las versiones de Hitachi Vantara Pentaho Business Analytics Server anteriores a 9.3.0.0, 9.2.0.2 y 8.3.0.25 con la funci\u00f3n Data Lineage habilitada transmite las contrase\u00f1as de la base de datos en texto plano. La transmisi\u00f3n de datos confidenciales en texto plano permite a actores no autorizados con acceso a la red rastrear y obtener informaci\u00f3n confidencial que luego puede usarse para obtener acceso no autorizado."}], "id": "CVE-2021-45447", "lastModified": "2024-11-21T06:32:13.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-02T15:15:10.247", "references": [{"source": "security.vulnerabilities@hitachivantara.com", "tags": ["Vendor Advisory"], "url": "https://support.pentaho.com/hc/en-us/articles/6744504393101"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.pentaho.com/hc/en-us/articles/6744504393101"}], "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}