CVE-2014-6139

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager versions 8.0.1.3, 8.5.0.1, 8.5.5.0

Description The issue allows remote authenticated users to bypass intended access restrictions. This is achieved by specifying a false value for the filterByCurrentUser parameter in the Search REST API, enabling them to perform task-instance and process-instance searches.

Recommendations For IBM Business Process Manager version 8.0.1.3, consider restricting access to the Search REST API until a fix is available. For IBM Business Process Manager version 8.5.0.1, avoid using the filterByCurrentUser parameter with a false value in the Search REST API. For IBM Business Process Manager version 8.5.5.0, restrict the use of the Search REST API to minimize the risk of exploitation.