CVE-2021-31599

Published: Nov 8, 2021Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code.

Affected (2)

Products: Hitachi: Vantara Pentaho, Vantara Pentaho Business Intelligence Server

2 products

Vantara Pentaho

Vantara Pentaho Business Intelligence Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Hitachi Vantara Pentaho	Up to 9.1.0.0
Hitachi Vantara Pentaho Business Intelligence Server	Up to 7.1

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

http://packetstormsecurity.com/files/164772/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Remote-Code-Execution.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.hitachi.com/hirt/security/index.html

Source: cve@mitre.org

Vendor Advisory

http://packetstormsecurity.com/files/164772/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://www.hitachi.com/hirt/security/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.