CVE-2015-1904
low
CVSS v3
—
CVSS v2
3.5
VIR risk
3.5
Description
IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0, when external Enterprise Content Management (ECM) integration is enabled with a certain technical system account configuration, allows remote authenticated users to bypass intended document-access restrictions via a (1) upload or (2) download action.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21960293
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg1JR53209
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ibm | business_process_manager | 8.0.0.0 | |
| ibm | business_process_manager | 8.0.1.0 | |
| ibm | business_process_manager | 8.0.1.1 | |
| ibm | business_process_manager | 8.0.1.2 | |
| ibm | business_process_manager | 8.0.1.3 | |
| ibm | business_process_manager | 8.5.0.0 | |
| ibm | business_process_manager | 8.5.0.1 | |
| ibm | business_process_manager | 8.5.5.0 | |
| ibm | business_process_manager | 8.5.6.0 | |
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR53209
- http://www-01.ibm.com/support/docview.wss?uid=swg21960293
- http://www.securitytracker.com/id/1033159
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR53209
- http://www-01.ibm.com/support/docview.wss?uid=swg21960293
- http://www.securitytracker.com/id/1033159
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.