Full title: Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration Vulnerability 
Category: web applications
Platform: java
Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.

# 0day.today @ http://0day.today/