CVE-2014-0908

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager (BPM) versions 7.5.x through 7.5.1.2 IBM Business Process Manager (BPM) versions 8.0.x through 8.0.1.2 IBM Business Process Manager (BPM) versions 8.5.x through 8.5.0.1

Description The issue concerns the User Attribute implementation, which fails to verify authorization for read or write access to attribute values. This allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.

Recommendations For versions 7.5.x through 7.5.1.2, update to a version that includes the necessary authorization checks for the User Attribute implementation. For versions 8.0.x through 8.0.1.2, update to a version that includes the necessary authorization checks for the User Attribute implementation. For versions 8.5.x through 8.5.0.1, update to a version that includes the necessary authorization checks for the User Attribute implementation.