Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-0908

The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.

Published

2014-04-10T23:55:04.730

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: SINGLE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

6.8

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-264
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application ibm business_process_manager 7.5.0.0 Yes
Application ibm business_process_manager 7.5.0.1 Yes
Application ibm business_process_manager 7.5.1.0 Yes
Application ibm business_process_manager 7.5.1.1 Yes
Application ibm business_process_manager 7.5.1.2 Yes
Application ibm business_process_manager 8.0.0.0 Yes
Application ibm business_process_manager 8.0.1.0 Yes
Application ibm business_process_manager 8.0.1.1 Yes
Application ibm business_process_manager 8.0.1.2 Yes
Application ibm business_process_manager 8.5.0.0 Yes
Application ibm business_process_manager 8.5.0.1 Yes
References