Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM3E1DB4A62840ABDAF2B7D325DDCFC0D45ED899E2B6EEE798DE7793218E4F9EE9
HistoryJun 15, 2018 - 6:59 a.m.

Security Bulletin: Missing authorization concept for IBM Business Process Manager (BPM) User Attributes CVE-2014-0908

2018-06-1506:59:55
www.ibm.com
9

EPSS

0.002

Percentile

53.2%

JSON

Summary

The User Attribute feature in IBM Business Process Manager does not have an authorization concept.

Vulnerability Details

As a consequence, each user can read and update their own attribute values and the attribute values for another user by using REST APIs. However, there are security-sensitive use cases for user attribute values, such as email notifications or task assignments that use expressions. You might also choose to store confidential information about users in user attribute values. The lack of authorization for this feature can create a security exposure.

CVEID: CVE-2014-0908
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N)

Affected Products and Versions

  • IBM Business Process Manager Standard V7.5.x, 8.0.x, 8.5.x
  • IBM Business Process Manager Express V7.5.x, 8.0.x, 8.5.x
  • IBM Business Process Manager Advanced V7.5.x, 8.0.x, 8.5.x

Remediation/Fixes

Install IBM Business Process Manager interim fix JR49505 as appropriate for your current IBM Business Process Manager product version. Interim fixes are available for the following products:

* [IBM Business Process Manager Standard](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR49505&source=fc>)
* [IBM Business Process Manager Express](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR49505&source=fc>)
* [IBM Business Process Manager Advanced](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR49505&source=fc>)

Workarounds and Mitigations

The following workarounds are available depending on your usage of the IBM Business Process Manager product and its REST APIs:

  * Do not use user attribute values for security-sensitive use cases. 
  * Block write access to the REST APIs User resource (PUT and POST HTTP methods) in a firewall. 
  * Do not expose the User resource REST API on your web server.

Related

seebug 1
cvelist 1
cve 1
nvd 1
prion 1
seebug
seebug
IBM Business Process ManagerζŽˆζƒη»•θΏ‡ζΌζ΄ž
2014-04-10 00:00:00
cvelist
cvelist
CVE-2014-0908
2014-04-10 23:00:00
cve
cve
CVE-2014-0908
2014-04-10 23:55:04
nvd
nvd
CVE-2014-0908
2014-04-10 23:55:04
prion
prion
Authorization
2014-04-10 23:55:00

EPSS

0.002

Percentile

53.2%

JSON
Related for 3E1DB4A62840ABDAF2B7D325DDCFC0D45ED899E2B6EEE798DE7793218E4F9EE9
seebug1cvelist1cve1nvd1prion1