CVE-2014-0908 - OpenCVE

The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Business Process Manager

Configuration 1 [-]

OR	cpe:2.3:a:ibm:business_process_manager:7.5.0.0:::::::*
	cpe:2.3:a:ibm:business_process_manager:7.5.0.1:::::::*
	cpe:2.3:a:ibm:business_process_manager:7.5.1.0:::::::*
	cpe:2.3:a:ibm:business_process_manager:7.5.1.1:::::::*
	cpe:2.3:a:ibm:business_process_manager:7.5.1.2:::::::*
	cpe:2.3:a:ibm:business_process_manager:8.0.0.0:::::::*
	cpe:2.3:a:ibm:business_process_manager:8.0.1.0:::::::*
	cpe:2.3:a:ibm:business_process_manager:8.0.1.1:::::::*
	cpe:2.3:a:ibm:business_process_manager:8.0.1.2:::::::*
	cpe:2.3:a:ibm:business_process_manager:8.5.0.0:::::::*
	cpe:2.3:a:ibm:business_process_manager:8.5.0.1:::::::*

No data.

References

Link	Providers
http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505
http://www-01.ibm.com/support/docview.wss?uid=swg21669330
https://exchange.xforce.ibmcloud.com/vulnerabilities/91870

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2014-04-10T23:00:00

Updated: 2024-08-06T09:27:20.162Z

Reserved: 2014-01-06T00:00:00

Link: CVE-2014-0908

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-04-10T23:55:04.730

Modified: 2017-08-29T01:34:20.107

Link: CVE-2014-0908

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-04T00:00:00", "descriptions": [{"lang": "en", "value": "The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330"}, {"name": "JR49505", "tags": ["vendor-advisory", "x_refsource_AIXAPAR"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505"}, {"name": "ibm-bpm-cve20140908-priv-escalation(91870)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91870"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2014-0908", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330"}, {"name": "JR49505", "refsource": "AIXAPAR", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505"}, {"name": "ibm-bpm-cve20140908-priv-escalation(91870)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91870"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:20.162Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330"}, {"name": "JR49505", "tags": ["vendor-advisory", "x_refsource_AIXAPAR", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505"}, {"name": "ibm-bpm-cve20140908-priv-escalation(91870)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91870"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2014-0908", "datePublished": "2014-04-10T23:00:00", "dateReserved": "2014-01-06T00:00:00", "dateUpdated": "2024-08-06T09:27:20.162Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "42264DE4-CEED-4FA5-8C77-82BF9A55F3F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A5E78ECD-6FFA-4AA0-B8B4-F9C002D6F8EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAC02B89-813E-4B3D-B518-6565BE06C575", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "06DFA125-9D52-4C16-9946-DB8D43700415", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "613CC0CD-083E-439A-9A53-777E69CDE2DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "161542A0-E919-4105-AD4F-C881ACF8D26B", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "AF8D1DC9-CB5E-4627-8689-B5FA7C5DE1C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "32504DEB-7391-4452-BA2E-409959B24222", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "D8F74820-DF10-499E-AF7A-93AC285843D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "989C89DF-C6CB-45C9-9592-30A83896BD71", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "783C2592-9669-4C75-9E63-C834482F6F8A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls."}, {"lang": "es", "value": "La implementaci\u00f3n User Attribute en IBM Business Process Manager (BPM) 7.5.x hasta 7.5.1.2, 8.0.x hasta 8.0.1.2 y 8.5.x hasta 8.5.0.1 no verifica autorizaci\u00f3n para acceso de lectura o escritura a valores de atributo, lo que permite a usuarios remotos autenticados obtener informaci\u00f3n sensible, configurar notificaciones de e-mail o modificar asignaciones de tareas a trav\u00e9s de llamadas REST API."}], "id": "CVE-2014-0908", "lastModified": "2017-08-29T01:34:20.107", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-10T23:55:04.730", "references": [{"source": "psirt@us.ibm.com", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330"}, {"source": "psirt@us.ibm.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91870"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}