CVE-2015-1904

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager (BPM) versions 8.0.x through 8.0.1.3 IBM Business Process Manager (BPM) versions 8.5.0 through 8.5.0.1 IBM Business Process Manager (BPM) versions 8.5.5 through 8.5.5.0 IBM Business Process Manager (BPM) versions 8.5.6 through 8.5.6.0

Description The issue is related to insufficient access control in the system, allowing remote authenticated users to bypass intended document-access restrictions when external Enterprise Content Management (ECM) integration is enabled with a certain technical system account configuration. This can be achieved via upload or download actions.

Recommendations For versions 8.0.x through 8.0.1.3, consider disabling the external Enterprise Content Management (ECM) integration until a patch is available. For versions 8.5.0 through 8.5.0.1, restrict access to the upload and download functions when ECM integration is enabled. For versions 8.5.5 through 8.5.5.0, avoid using the technical system account configuration that enables the vulnerability. For versions 8.5.6 through 8.5.6.0, limit the access to documents based on user roles to minimize the risk of exploitation. As a temporary workaround, consider disabling the ECM integration with the certain technical system account configuration until a patch is available.