CVE-2020-4446 - OpenCVE

IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Force ID: 181126.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Business Automation Workflow Business Process Manager

Configuration 1 [-]

OR	cpe:2.3:a:ibm:business_automation_workflow::::::::
	cpe:2.3:a:ibm:business_automation_workflow::::::::
	cpe:2.3:a:ibm:business_process_manager::::::::
	cpe:2.3:a:ibm:business_process_manager::::::::
	cpe:2.3:a:ibm:business_process_manager:8.6.0.0:::::::*

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/181126
https://www.ibm.com/support/pages/node/6205805

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2020-05-06T13:45:19.952281Z

Updated: 2024-09-16T20:06:31.639Z

Reserved: 2019-12-30T00:00:00

Link: CVE-2020-4446

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-05-06T14:15:11.020

Modified: 2020-05-08T20:59:31.617

Link: CVE-2020-4446

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Business Process Manager Standard", "vendor": "IBM", "versions": [{"status": "affected", "version": "8.5.5"}, {"status": "affected", "version": "8.5.7.CF201706"}, {"status": "affected", "version": "8.5.7.CF201703"}, {"status": "affected", "version": "8.5.7.CF201612"}, {"status": "affected", "version": "8.5.7.CF201609"}, {"status": "affected", "version": "8.5.7.CF201606"}, {"status": "affected", "version": "8.5.7"}, {"status": "affected", "version": "8.5.6.2"}, {"status": "affected", "version": "8.5.6.1"}, {"status": "affected", "version": "8.5.6"}, {"status": "affected", "version": "8.6"}, {"status": "affected", "version": "8.5.0.2"}, {"status": "affected", "version": "8.5.0.1"}, {"status": "affected", "version": "8.5"}, {"status": "affected", "version": "8.0.1.3"}, {"status": "affected", "version": "8.0.1.2"}, {"status": "affected", "version": "8.0.1.1"}, {"status": "affected", "version": "8.0.1"}, {"status": "affected", "version": "8.0"}]}, {"product": "Business Automation Workflow", "vendor": "IBM", "versions": [{"status": "affected", "version": "18.0.0.0"}, {"status": "affected", "version": "19.0.0.1"}]}], "datePublic": "2020-05-05T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Force ID: 181126."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "NONE", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 3.8, "temporalSeverity": "LOW", "userInteraction": "NONE", "vectorString": "CVSS:3.0/I:N/AV:N/A:N/UI:N/PR:L/S:U/C:L/AC:L/RC:C/E:U/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Bypass Security", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-06T13:45:19", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6205805"}, {"name": "ibm-bpm-cve20204446-weak-security (181126)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/181126"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2020-05-05T00:00:00", "ID": "CVE-2020-4446", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Business Process Manager Standard", "version": {"version_data": [{"version_value": "8.5.5"}, {"version_value": "8.5.7.CF201706"}, {"version_value": "8.5.7.CF201703"}, {"version_value": "8.5.7.CF201612"}, {"version_value": "8.5.7.CF201609"}, {"version_value": "8.5.7.CF201606"}, {"version_value": "8.5.7"}, {"version_value": "8.5.6.2"}, {"version_value": "8.5.6.1"}, {"version_value": "8.5.6"}, {"version_value": "8.6"}, {"version_value": "8.5.0.2"}, {"version_value": "8.5.0.1"}, {"version_value": "8.5"}, {"version_value": "8.0.1.3"}, {"version_value": "8.0.1.2"}, {"version_value": "8.0.1.1"}, {"version_value": "8.0.1"}, {"version_value": "8.0"}]}}, {"product_name": "Business Automation Workflow", "version": {"version_data": [{"version_value": "18.0.0.0"}, {"version_value": "19.0.0.1"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Force ID: 181126."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "L", "AV": "N", "C": "L", "I": "N", "PR": "L", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Bypass Security"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6205805", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6205805 (Business Process Manager Standard)", "url": "https://www.ibm.com/support/pages/node/6205805"}, {"name": "ibm-bpm-cve20204446-weak-security (181126)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/181126"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:07:48.740Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/6205805"}, {"name": "ibm-bpm-cve20204446-weak-security (181126)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/181126"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2020-4446", "datePublished": "2020-05-06T13:45:19.952281Z", "dateReserved": "2019-12-30T00:00:00", "dateUpdated": "2024-09-16T20:06:31.639Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:business_automation_workflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B8A1C8F-793A-4F66-8217-70E16C5C832B", "versionEndIncluding": "18.0.0.2", "versionStartIncluding": "18.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_automation_workflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "01362A8C-8482-4AEA-AF8C-62642B6BAD89", "versionEndIncluding": "19.0.0.3", "versionStartIncluding": "19.0.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7F25B9A-6BC9-474D-9EFD-80955C972F58", "versionEndIncluding": "8.0.1.3", "versionStartIncluding": "8.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "56662DF9-BE20-4B67-A391-889F9EB3F0AC", "versionEndIncluding": "8.5.7.0", "versionStartIncluding": "8.5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "324A0484-C50D-4400-B6FD-23D793F032AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Force ID: 181126."}, {"lang": "es", "value": "IBM Business Process Manager versiones 8.0, 8.5 y 8.6 e IBM Business Automation Workflow versiones 18.0 y 19.0, podr\u00edan permitir a un atacante remoto omitir las restricciones de seguridad, causadas mediante el fallo al realizar comprobaciones de autorizaci\u00f3n insuficientes. ID de IBM X-Force: 181126."}], "id": "CVE-2020-4446", "lastModified": "2020-05-08T20:59:31.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-06T14:15:11.020", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/181126"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6205805"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}