#VU12164 Incorrect authorization in IBM Business Process Manager - CVE-2017-1766

Cybersecurity Help s.r.o.

Published: 2018-04-25

Vulnerability identifier: #VU12164

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-1766

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Business Process Manager
Server applications / Other server solutions

Vendor: IBM Corporation

Description
The vulnerability allows a remote authenticated attacker to write arbitrary files on the target system.

The weakness exists due to incorrect authorization. A remote attacker can claim and work on ad hoc tasks he is not assigned to.

Mitigation
Install update from vendor's website.

Vulnerable software versions

IBM Business Process Manager: 8.5.5.0 - 8.6.0

External links
https://www-01.ibm.com/support/docview.wss?uid=swg22011866

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in IBM Business Process Manager