CVE-2014-4758

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager (BPM) versions 7.5.x through 8.5.5 WebSphere Lombardi Edition versions 7.2.x

Description The issue allows remote authenticated users to bypass intended access restrictions and send requests to internal services via a "callService URL".

Recommendations For IBM Business Process Manager (BPM) versions 7.5.x through 8.5.5, restrict access to internal services to minimize the risk of exploitation. For WebSphere Lombardi Edition versions 7.2.x, avoid using the callService URL in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.