CVE-2015-1884

Name of the Vulnerable Software and Affected Versions WebSphere Application Server versions prior to the fixed version IBM Business Process Manager (BPM) versions 7.5.x through 7.5.1.2 IBM Business Process Manager (BPM) versions 8.0.x through 8.0.1.3 IBM Business Process Manager (BPM) versions 8.5.0 through 8.5.0.1 IBM Business Process Manager (BPM) versions 8.5.5 through 8.5.5.0 WebSphere Lombardi Edition (WLE) versions 7.2 through 7.2.0.5

Description The issue exists due to incorrect restriction of the directory path name with limited access. Exploitation of this issue may allow a remote attacker to read arbitrary files using a specially crafted URL. This is a directory traversal vulnerability that can be exploited by remote authenticated users via a crafted internationalization-file URL.

Recommendations For IBM Business Process Manager (BPM) versions 7.5.x through 7.5.1.2, update to a version outside of this range. For IBM Business Process Manager (BPM) versions 8.0.x through 8.0.1.3, update to a version outside of this range. For IBM Business Process Manager (BPM) versions 8.5.0 through 8.5.0.1, update to a version outside of this range. For IBM Business Process Manager (BPM) versions 8.5.5 through 8.5.5.0, update to a version outside of this range. For WebSphere Lombardi Edition (WLE) versions 7.2 through 7.2.0.5, update to a version outside of this range. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.