Pentaho Business Analytics / Pentaho Business Server 9.1 Insufficient Access Control
Posted by deepcore on November 6, 2021 – 10:42 pm
Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. While most of the interfaces correctly implement ACL, the Data Source Management Service located at /pentaho/webservices/datasourceMgmtService allows low-privilege authenticated users to list the connection details of all data sources used by Pentaho.
Post a reply
You must be logged in to post a comment.