{"api_version":"1","generated_at":"2026-04-23T06:21:46+00:00","cve":"CVE-2021-34684","urls":{"html":"https://cve.report/CVE-2021-34684","api":"https://cve.report/api/cve/CVE-2021-34684.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-34684","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-34684"},"summary":{"title":"CVE-2021-34684","description":"Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-11-08 04:15:00","updated_at":"2021-11-09 21:36:00"},"problem_types":["CWE-89"],"metrics":[],"references":[{"url":"https://www.hitachi.com/hirt/security/index.html","name":"https://www.hitachi.com/hirt/security/index.html","refsource":"MISC","tags":[],"title":"Security Information: Hitachi Incident Response Team : Hitachi","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/164791/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-SQL-Injection.html","name":"http://packetstormsecurity.com/files/164791/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-SQL-Injection.html","refsource":"MISC","tags":[],"title":"Pentaho Business Analytics / Pentaho Business Server 9.1 SQL Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-34684","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-34684","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"34684","vulnerable":"1","versionEndIncluding":"9.1.0.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hitachi","cpe5":"vantara_pentaho","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-34684","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.hitachi.com/hirt/security/index.html","refsource":"MISC","name":"https://www.hitachi.com/hirt/security/index.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/164791/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-SQL-Injection.html","url":"http://packetstormsecurity.com/files/164791/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-SQL-Injection.html"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N","version":"3.1"}}},"nvd":{"publishedDate":"2021-11-08 04:15:00","lastModifiedDate":"2021-11-09 21:36:00","problem_types":["CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*","versionEndIncluding":"9.1.0.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"34684","Ordinal":"210154","Title":"CVE-2021-34684","CVE":"CVE-2021-34684","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"34684","Ordinal":"1","NoteData":"Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"34684","Ordinal":"2","NoteData":"2021-11-07","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"34684","Ordinal":"3","NoteData":"2021-11-07","Type":"Other","Title":"Modified"}]}}}