CVE-2014-0908
First published: Thu Apr 10 2014(Updated: )
The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Business Process Manager | =7.5.0.0 | |
| IBM Business Process Manager | =7.5.0.1 | |
| IBM Business Process Manager | =7.5.1.0 | |
| IBM Business Process Manager | =7.5.1.1 | |
| IBM Business Process Manager | =7.5.1.2 | |
| IBM Business Process Manager | =8.0.0.0 | |
| IBM Business Process Manager | =8.0.1.0 | |
| IBM Business Process Manager | =8.0.1.1 | |
| IBM Business Process Manager | =8.0.1.2 | |
| IBM Business Process Manager | =8.5.0.0 | |
| IBM Business Process Manager | =8.5.0.1 | |
| =7.5.0.0 | ||
| =7.5.0.1 | ||
| =7.5.1.0 | ||
| =7.5.1.1 | ||
| =7.5.1.2 | ||
| =8.0.0.0 | ||
| =8.0.1.0 | ||
| =8.0.1.1 | ||
| =8.0.1.2 | ||
| =8.5.0.0 | ||
| =8.5.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-0908?
CVE-2014-0908 is classified as a medium severity vulnerability due to its potential to expose sensitive information.
How do I fix CVE-2014-0908?
To fix CVE-2014-0908, upgrade IBM Business Process Manager to a version that addresses the authorization flaw.
What are the affected versions of IBM Business Process Manager in CVE-2014-0908?
CVE-2014-0908 affects IBM Business Process Manager versions 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1.
What type of attack can CVE-2014-0908 facilitate?
CVE-2014-0908 can facilitate unauthorized access to sensitive information by allowing remote authenticated users to read and write attribute values without proper authorization.
Is authentication required to exploit CVE-2014-0908?
Yes, exploitation of CVE-2014-0908 requires the attacker to be a remote authenticated user.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/first-publish-date
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/ibm
- canonical/ibm business process manager
- version/ibm business process manager/7.5.0.0
- version/ibm business process manager/7.5.0.1
- version/ibm business process manager/7.5.1.0
- version/ibm business process manager/7.5.1.1
- version/ibm business process manager/7.5.1.2
- version/ibm business process manager/8.0.0.0
- version/ibm business process manager/8.0.1.0
- version/ibm business process manager/8.0.1.1
- version/ibm business process manager/8.0.1.2
- version/ibm business process manager/8.5.0.0
- version/ibm business process manager/8.5.0.1