PT-2014-3937 · Ibm · Ibm Business Process Manager
Published
2014-04-10
·
Updated
2017-08-29
·
CVE-2014-0908
CVSS v2.0
6.0
Medium
| Vector | AV:N/AC:M/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
IBM Business Process Manager (BPM) versions 7.5.x through 7.5.1.2
IBM Business Process Manager (BPM) versions 8.0.x through 8.0.1.2
IBM Business Process Manager (BPM) versions 8.5.x through 8.5.0.1
Description
The issue concerns the User Attribute implementation, which fails to verify authorization for read or write access to attribute values. This allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.
Recommendations
For versions 7.5.x through 7.5.1.2, update to a version that includes the necessary authorization checks for the User Attribute implementation.
For versions 8.0.x through 8.0.1.2, update to a version that includes the necessary authorization checks for the User Attribute implementation.
For versions 8.5.x through 8.5.0.1, update to a version that includes the necessary authorization checks for the User Attribute implementation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm Business Process Manager