CVE-2014-4802

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager (BPM) versions 8.0 through 8.5.5

Description The issue concerns the Saved Search Admin component in the Process Admin Console, which fails to properly restrict task and instance listings in result sets. This allows remote authenticated users to bypass authorization checks, potentially obtaining sensitive information by executing a saved search.

Recommendations For IBM Business Process Manager (BPM) versions 8.0 through 8.5.5, consider restricting access to the Saved Search Admin component in the Process Admin Console until a fix is available. As a temporary workaround, limit the execution of saved searches to authorized personnel only.