Using the Search REST API, non-administrative users can search for task and process instances that they are not allowed to see by specifying a parameter that should be available only to administrative users.
CVE ID:CVE-2014-6139
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96909> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
IBM Business Process Manager allows an authenticated user to specifiy a parameter in search results that would result in a list of process and task instances in the system to which this user has no access.
Install the interim fix for APAR JR51391 as appropriate for your current IBM Business Process Manager version.
* [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR51391>)
* [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR51391>)
* [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR51391>)
None