Name of the Vulnerable Software and Affected Versions:

Valtimo versions prior to 12.16.0

Valtimo versions 13.0.0 through 13.1.1

Description:

Valtimo is a platform for Business Process Automation. Administrators with the ability to create, modify, and execute process definitions could gain access to sensitive data or resources. This includes running executables on the application host, inspecting and extracting data from the host environment or application properties, and accessing spring beans (application context, database pooling). To perform this attack, a user must be logged in with the admin role and possess knowledge of running scripts via the Camunda/Operator engine.

Recommendations:

Upgrade to Valtimo version 12.16.0 or later.

Upgrade to Valtimo version 13.1.2 or later.

If scripting is not required in any processes, disable it via the ProcessEngineConfiguration. Note that this workaround may cause unexpected side effects.