IBMD4012BE582B8429A0FCCDE3F9E92C55D64C832ABDFE4D6349A1B4EB8A1781823Security Bulletin: Insufficient authorization check in IBM Business Process Manager (BPM) Search REST API (CVE-2014-6139)
EPSS
Percentile
30.7%
Summary
Using the Search REST API, non-administrative users can search for task and process instances that they are not allowed to see by specifying a parameter that should be available only to administrative users.
Vulnerability Details
CVE ID:CVE-2014-6139
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96909> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
IBM Business Process Manager allows an authenticated user to specifiy a parameter in search results that would result in a list of process and task instances in the system to which this user has no access.
Affected Products and Versions
-
- IBM Business Process Manager Standard V8.0.x 8.5.x
- IBM Business Process Manager Express V8.0.x 8.5.x
- IBM Business Process Manager Advanced V8.0.x 8.5.x
Remediation/Fixes
Install the interim fix for APAR JR51391 as appropriate for your current IBM Business Process Manager version.
* [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR51391>)
* [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR51391>)
* [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR51391>)
Workarounds and Mitigations
None
Related
EPSS
Percentile
30.7%