CVE-2014-4802 — IBM Business Process Manager vulnerability

CWE-2643 documents3 sources

Severity

4.0MEDIUMNVD

EPSS

0.2%

top 63.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Business Process Manager

Timeline

PublishedOct 7

Latest updateMay 17

Description

The Saved Search Admin component in the Process Admin Console in IBM Business Process Manager (BPM) 8.0 through 8.5.5 does not properly restrict task and instance listings in result sets, which allows remote authenticated users to bypass authorization checks and obtain sensitive information by executing a saved search.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages1 packages

▶NVDibm/business_process_manager8 versions+7

Patches

Patch: www-01.ibm.com ↗Patch: www-01.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-f2jg-q6x8-qc8m: The Saved Search Admin component in the Process Admin Console in IBM Business Process Manager (BPM) 8↗2022-05-17

▶

CVEList

CVE-2014-4802: The Saved Search Admin component in the Process Admin Console in IBM Business Process Manager (BPM) 8↗2014-10-07

▶