Theo-Ritense

**Name of the Vulnerable Software and Affected Versions** com.ritense.valtimo:document versions 12.0.0 through 12.31.0 com.ritense.valtimo:case versions 13.0.0 through 13.22.0 com.ritense.valtimo:contract versions 13.4.0 through 13.22.0 **Description** Valtimo is an open-source business process automation platform. The software evaluates Spring Expression Language (SpEL) expressions from user-supplied input using `StandardEvaluationContext`, which allows unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. Technical details include: - The `DocumentMigrationService` is exploitable via the endpoints "/api/management/v1/document-definition/migrate" and "/api/management/v1/document-definition/migration/conflicts" through the `source` or `target` fields of a `DocumentMigrationPatch` object. This involves the `handleSpelExpression()` function. - The `Condition` framework is exploitable through the `value` field of a condition's JSON configuration in admin-configured widgets, dashboards, or features, involving the `resolveValue()` function. **Recommendations** Update com.ritense.valtimo:document to version 12.32.0. Update com.ritense.valtimo:case to version 13.23.0. Update com.ritense.valtimo:contract to version 13.23.0. As a temporary mitigation, replace `StandardEvaluationContext` with `SimpleEvaluationContext` in the affected classes to disallow Java type references and arbitrary method invocation.

**Name of the Vulnerable Software and Affected Versions** Valtimo versions prior to 12.16.0 Valtimo versions 13.0.0 through 13.1.1 **Description** Valtimo is a platform for Business Process Automation. Administrators with the ability to create, modify, and execute process definitions could gain access to sensitive data or resources. This includes running executables on the application host, inspecting and extracting data from the host environment or application properties, and accessing spring beans (application context, database pooling). To perform this attack, a user must be logged in with the admin role and possess knowledge of running scripts via the Camunda/Operator engine. **Recommendations** Upgrade to Valtimo version 12.16.0 or later. Upgrade to Valtimo version 13.1.2 or later. If scripting is not required in any processes, disable it via the ProcessEngineConfiguration. Note that this workaround may cause unexpected side effects.

**Name of the Vulnerable Software and Affected Versions** Valtimo versions 11.0.0.RELEASE through 11.3.3.RELEASE Valtimo versions 12.0.0.RELEASE through 12.12.0.RELEASE **Description** The issue allows unauthorized users to list, view, edit, create, or delete objects for which an object-management configuration exists. If object URLs are exposed through other channels, the contents of these objects can be viewed independently of object-management configurations. There are no known patches at the time of publication. **Recommendations** For Valtimo versions 11.0.0.RELEASE through 11.3.3.RELEASE, override the endpoint security as defined in `ObjectenApiHttpSecurityConfigurer` and `ObjectManagementHttpSecurityConfigurer` to mitigate the issue, noting that this may result in loss of functionality. For Valtimo versions 12.0.0.RELEASE through 12.12.0.RELEASE, override the endpoint security as defined in `ObjectenApiHttpSecurityConfigurer` and `ObjectManagementHttpSecurityConfigurer` to mitigate the issue, noting that this may result in loss of functionality.

**Name of the Vulnerable Software and Affected Versions** Valtimo versions prior to 10.8.4 Valtimo versions prior to 11.1.6 Valtimo versions prior to 11.2.2 **Description** Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component. To perform this attack, an attacker needs to have access to the network traffic on the `api.form.io` domain, the content of the `x-jwt-token` header must be logged or otherwise available to the attacker, the attacker needs to have network access to the Valtimo API, and the attacker needs to act within the time-to-live of the access token, which is 5 minutes by default in Keycloak. **Recommendations** For versions prior to 10.8.4, update to version 10.8.4 or later to resolve the issue. For versions prior to 11.1.6, update to version 11.1.6 or later to resolve the issue. For versions prior to 11.2.2, update to version 11.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `api.form.io` domain and the Valtimo API to minimize the risk of exploitation. Additionally, ensure that the content of the `x-jwt-token` header is not logged or otherwise made available to potential attackers.