Security Bulletin: Insufficient authorization check in IBM Business Process Manager (BPM) Search REST API (CVE-2014-6139)

Summary Using the Search REST API, non-administrative users can search for task and process instances that they are not allowed to see by specifying a parameter that should be available only to administrative users. Vulnerability Details CVE ID: CVE-2014-6139 CVSS Base Score: 3.5 CVSS Temporal...

Design/Logic Flaw

The Search REST API in IBM Business Process Manager 8.0.1.3, 8.5.0.1, and 8.5.5.0 allows remote authenticated users to bypass intended access restrictions and perform task-instance and process-instance searches by specifying a false value for the filterByCurrentUser parameter...

CVE-2014-6139

The CVE concerns IBM Business Process Manager (BPM) Search REST API allowing authenticated non-administrative users to bypass access controls by supplying an incorrect filterByCurrentUser value, enabling discovery of task- and process-instances the user should not see. Affected BPM products/versi...