The User Attribute feature in IBM Business Process Manager does not have an authorization concept.
As a consequence, each user can read and update their own attribute values and the attribute values for another user by using REST APIs. However, there are security-sensitive use cases for user attribute values, such as email notifications or task assignments that use expressions. You might also choose to store confidential information about users in user attribute values. The lack of authorization for this feature can create a security exposure.
CVEID: CVE-2014-0908
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Install IBM Business Process Manager interim fix JR49505 as appropriate for your current IBM Business Process Manager product version. Interim fixes are available for the following products:
* [IBM Business Process Manager Standard](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR49505&source=fc>)
* [IBM Business Process Manager Express](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR49505&source=fc>)
* [IBM Business Process Manager Advanced](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR49505&source=fc>)
The following workarounds are available depending on your usage of the IBM Business Process Manager product and its REST APIs:
* Do not use user attribute values for security-sensitive use cases.
* Block write access to the REST APIs User resource (PUT and POST HTTP methods) in a firewall.
* Do not expose the User resource REST API on your web server.