Overview

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)

Products Affected 

Pentaho Data Integration & Analytics prior to versions 10.2.0.6 and 11.0.0.0

Description

Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0 expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.

Impact

An attacker could gain access to user accounts and access sensitive data used by the user accounts.

Action  

We recommend you upgrade to the latest Pentaho Data Integration & Analytics release or Service Pack where this vulnerability is addressed.

Please review the Pentaho End-of-Life policy to ensure you are up to date.