CVE-2017-1539
high
CVSS v3
8.8
CVSS v2
6.5
VIR risk
8.8
Description
IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to privilege escalation by not properly distinguishing internal group memberships from user registry group memberships. By manipulating LDAP group membership an attack might gain privileged access. IBM X-Force ID: 130807.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@us.ibm.com — https://exchange.xforce.ibmcloud.com/vulnerabilities/130807
Vendor advisory: psirt@us.ibm.com — http://www.ibm.com/support/docview.wss?uid=swg22007451
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ibm | business_process_manager | 7.5.0.0 | |
| ibm | business_process_manager | 7.5.0.1 | |
| ibm | business_process_manager | 7.5.1.0 | |
| ibm | business_process_manager | 7.5.1.1 | |
| ibm | business_process_manager | 7.5.1.2 | |
| ibm | business_process_manager | 8.0.0.0 | |
| ibm | business_process_manager | 8.0.1.0 | |
| ibm | business_process_manager | 8.0.1.1 | |
| ibm | business_process_manager | 8.0.1.2 | |
| ibm | business_process_manager | 8.0.1.3 | |
| ibm | business_process_manager | 8.5.0.0 | |
| ibm | business_process_manager | 8.5.0.1 | |
| ibm | business_process_manager | 8.5.0.2 | |
| ibm | business_process_manager | 8.5.5.0 | |
| ibm | business_process_manager | 8.5.6.0 | |
| ibm | business_process_manager | 8.5.6.1 | |
| ibm | business_process_manager | 8.5.6.2 | |
| ibm | business_process_manager | 8.5.7.0 | |
References
- http://www.ibm.com/support/docview.wss?uid=swg22007451
- http://www.securityfocus.com/bid/100967
- https://exchange.xforce.ibmcloud.com/vulnerabilities/130807
- http://www.ibm.com/support/docview.wss?uid=swg22007451
- http://www.securityfocus.com/bid/100967
- https://exchange.xforce.ibmcloud.com/vulnerabilities/130807
Verify integrity in audit chain (admin only). AS-IS.