Security Bulletin: Vulnerability in Node.js affects IBM Process Mining (CVE-2019-5484)

Summary

There is a vulnerability in Node.js that could allow a local attacker to launch a symlink attack. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2019-5484
**DESCRIPTION:**Node.js bower module could allow a local attacker to launch a symlink attack. The bower module creates temporary files insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156341 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)|**Version(s)
**
—|—
IBM Process Mining| 1.12.0.3
|

Remediation/Fixes

Remediation/Fixes guidance:

Upgrade to version 1.12.0.4

1.Login to PassPortAdvantage

2. Search for
M05JKML Process Mining 1.12.0.4 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M05JJML Process Mining 1.12.0.4 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known