CVE-2014-0908
Vulnerability from cvelistv5
Published
2014-04-10 23:00
Modified
2024-08-06 09:27
Severity ?
Summary
The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.
References
psirt@us.ibm.comhttp://www-01.ibm.com/support/docview.wss?uid=swg1JR49505
psirt@us.ibm.comhttp://www-01.ibm.com/support/docview.wss?uid=swg21669330Vendor Advisory
psirt@us.ibm.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/91870
af854a3a-2127-422b-91ae-364da2661108http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505
af854a3a-2127-422b-91ae-364da2661108http://www-01.ibm.com/support/docview.wss?uid=swg21669330Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/91870
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:27:20.162Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330"
          },
          {
            "name": "JR49505",
            "tags": [
              "vendor-advisory",
              "x_refsource_AIXAPAR",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505"
          },
          {
            "name": "ibm-bpm-cve20140908-priv-escalation(91870)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91870"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-04-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-28T12:57:01",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330"
        },
        {
          "name": "JR49505",
          "tags": [
            "vendor-advisory",
            "x_refsource_AIXAPAR"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505"
        },
        {
          "name": "ibm-bpm-cve20140908-priv-escalation(91870)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91870"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2014-0908",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21669330"
            },
            {
              "name": "JR49505",
              "refsource": "AIXAPAR",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505"
            },
            {
              "name": "ibm-bpm-cve20140908-priv-escalation(91870)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91870"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2014-0908",
    "datePublished": "2014-04-10T23:00:00",
    "dateReserved": "2014-01-06T00:00:00",
    "dateUpdated": "2024-08-06T09:27:20.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"42264DE4-CEED-4FA5-8C77-82BF9A55F3F2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A5E78ECD-6FFA-4AA0-B8B4-F9C002D6F8EF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DAC02B89-813E-4B3D-B518-6565BE06C575\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"06DFA125-9D52-4C16-9946-DB8D43700415\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"613CC0CD-083E-439A-9A53-777E69CDE2DE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"161542A0-E919-4105-AD4F-C881ACF8D26B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AF8D1DC9-CB5E-4627-8689-B5FA7C5DE1C5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"32504DEB-7391-4452-BA2E-409959B24222\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D8F74820-DF10-499E-AF7A-93AC285843D1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"989C89DF-C6CB-45C9-9592-30A83896BD71\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"783C2592-9669-4C75-9E63-C834482F6F8A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.\"}, {\"lang\": \"es\", \"value\": \"La implementaci\\u00f3n User Attribute en IBM Business Process Manager (BPM) 7.5.x hasta 7.5.1.2, 8.0.x hasta 8.0.1.2 y 8.5.x hasta 8.5.0.1 no verifica autorizaci\\u00f3n para acceso de lectura o escritura a valores de atributo, lo que permite a usuarios remotos autenticados obtener informaci\\u00f3n sensible, configurar notificaciones de e-mail o modificar asignaciones de tareas a trav\\u00e9s de llamadas REST API.\"}]",
      "id": "CVE-2014-0908",
      "lastModified": "2024-11-21T02:03:01.187",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2014-04-10T23:55:04.730",
      "references": "[{\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505\", \"source\": \"psirt@us.ibm.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21669330\", \"source\": \"psirt@us.ibm.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/91870\", \"source\": \"psirt@us.ibm.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21669330\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/91870\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "psirt@us.ibm.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-0908\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2014-04-10T23:55:04.730\",\"lastModified\":\"2024-11-21T02:03:01.187\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.\"},{\"lang\":\"es\",\"value\":\"La implementaci\u00f3n User Attribute en IBM Business Process Manager (BPM) 7.5.x hasta 7.5.1.2, 8.0.x hasta 8.0.1.2 y 8.5.x hasta 8.5.0.1 no verifica autorizaci\u00f3n para acceso de lectura o escritura a valores de atributo, lo que permite a usuarios remotos autenticados obtener informaci\u00f3n sensible, configurar notificaciones de e-mail o modificar asignaciones de tareas a trav\u00e9s de llamadas REST API.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"42264DE4-CEED-4FA5-8C77-82BF9A55F3F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5E78ECD-6FFA-4AA0-B8B4-F9C002D6F8EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DAC02B89-813E-4B3D-B518-6565BE06C575\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06DFA125-9D52-4C16-9946-DB8D43700415\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"613CC0CD-083E-439A-9A53-777E69CDE2DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"161542A0-E919-4105-AD4F-C881ACF8D26B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF8D1DC9-CB5E-4627-8689-B5FA7C5DE1C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32504DEB-7391-4452-BA2E-409959B24222\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8F74820-DF10-499E-AF7A-93AC285843D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"989C89DF-C6CB-45C9-9592-30A83896BD71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"783C2592-9669-4C75-9E63-C834482F6F8A\"}]}]}],\"references\":[{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505\",\"source\":\"psirt@us.ibm.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21669330\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/91870\",\"source\":\"psirt@us.ibm.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21669330\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/91870\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.