PT-2015-3820 · Ibm · Ibm Business Process Manager

Published

2015-02-13

Updated

2015-02-17

CVE-2014-6139

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions IBM Business Process Manager versions 8.0.1.3, 8.5.0.1, 8.5.5.0

Description The issue allows remote authenticated users to bypass intended access restrictions. This is achieved by specifying a false value for the filterByCurrentUser parameter in the Search REST API, enabling them to perform task-instance and process-instance searches.

Recommendations For IBM Business Process Manager version 8.0.1.3, consider restricting access to the Search REST API until a fix is available. For IBM Business Process Manager version 8.5.0.1, avoid using the filterByCurrentUser parameter with a false value in the Search REST API. For IBM Business Process Manager version 8.5.5.0, restrict the use of the Search REST API to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2014-6139

Affected Products

Ibm Business Process Manager

PT-2015-3820 · Ibm · Ibm Business Process Manager

CVE-2014-6139

Weakness Enumeration

Related Identifiers

Affected Products

References · 2