Vulnerability Name: | CVE-2014-4802 (CCN-95304) | ||||||||
Assigned: | 2014-10-06 | ||||||||
Published: | 2014-10-06 | ||||||||
Updated: | 2017-08-29 | ||||||||
Summary: | The Saved Search Admin component in the Process Admin Console in IBM Business Process Manager (BPM) 8.0 through 8.5.5 does not properly restrict task and instance listings in result sets, which allows remote authenticated users to bypass authorization checks and obtain sensitive information by executing a saved search. | ||||||||
CVSS v3 Severity: | 3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
| ||||||||
CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N) 3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||
Vulnerability Type: | CWE-264 | ||||||||
Vulnerability Consequences: | Obtain Information | ||||||||
References: | Source: MITRE Type: CNA CVE-2014-4802 Source: AIXAPAR Type: Vendor Advisory JR50984 Source: CCN Type: IBM Security Bulletin 1684771 Incorrect authorization in IBM Business Process Manager (BPM) Saved Search Admin (CVE-2014-4802) Source: CONFIRM Type: Patch, Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21684771 Source: CCN Type: BID-70248 IBM Business Process Manager CVE-2014-4802 Information Disclosure Vulnerability Source: XF Type: UNKNOWN ibm-bpm-cve20144802-info-disc(95304) Source: XF Type: UNKNOWN ibm-bpm-cve20144802-info-disc(95304) | ||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||
BACK |