IBM6AB23F826FF20EC5C8CD56ACB5F6F8BED49E8151D33AB95AD9C404F3333FB919Security Bulletin: Security vulnerability in Node.js module affects IBM Business Process Manager (BPM) Configuration Editor (CVE-2015-1164)
0.003 Low
EPSS
Percentile
71.8%
Summary
A security vulnerability has been reported for a dependent Node.js module “express”. CVE-2015-1164 affects IBM Business Process Manager (BPM) because IBM BPM includes a stand-alone tool for editing configuration properties files that is based on open source Node.js technology.
Vulnerability Details
CVE-ID: CVE-2015-1164
Description: serve-static module for Node.js could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. A remote attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites.
CVSS Base Score: 4.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/99936> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
* * IBM Business Process Manager Express V8.5.5
* IBM Business Process Manager Standard V8.5.5
* IBM Business Process Manager Advanced V8.5.5
Remediation/Fixes
Install IBM Business Process Manager interim fix JR52288 as appropriate for your current IBM Business Process Manager.
- IBM Business Process Manager Express
- IBM Business Process Manager Standard
- IBM Business Process Manager Advanced
Workarounds and Mitigations
IBM BPM Configuration Editor is a stand-alone tool that is shipped as a zip archive. Vulnerabilities can only be exploited after unzipping and starting the server part of the tool. As a work around, you can use any usual text editor to work with IBM BPM configuration properties files.
Related
0.003 Low
EPSS
Percentile
71.8%