Information disclosure in IBM Business Process Manager

#VU11620 Information disclosure in IBM Business Process Manager

Published: 2018-04-08

Vulnerability identifier: #VU11620

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-1765

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Business Process Manager
Server applications / Other server solutions

Vendor: IBM Corporation

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to unspecified error. A remote attacker can with "special privileges" can obtain potentially sensitive information about the target application server during snapshot export.

Mitigation
Install update from vendor's website.

Vulnerable software versions

IBM Business Process Manager: 8.0.0.0 - 8.6.0

External links
http://www-01.ibm.com/support/docview.wss?uid=swg22011844

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 8 update for git-lfs

Multiple vulnerabilities in IBM Business Process Manager