Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration
Posted by deepcore on November 6, 2021 – 10:42 pm
Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.
Post a reply
You must be logged in to post a comment.