4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
When invoking a service using the callService URL, there is no access restriction based on the service type and services that were meant for internal use only are available for authenticated users.
CVE ID:CVE-2014-4758
DESCRIPTION:
IBM Business Process Manager and Lombardi Edition are vulnerable to an authenticated remote attacker accessing services that were meant for internal use only.
**CVSS: *CVSS Base Score: 4.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94485> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Install the interim fix for APAR JR50215 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version.
If you are using earlier unsupported versions, IBM strongly recommends upgrading to a supported version.
Note: This fix, by default, prevents access to services of types other than Ajax service. A new configuration option is available to enable other service types for backwards compatibility. See the APAR description for more details.
None