cnvd - cnvd-2020-19865

cnvd-2020-19865

Vulnerability from cnvd

Title: IBM Business Process Manager和IBM Business Automation Workflow输入验证错误漏洞

Description:

IBM Business Process Manager（BPM）和IBM Business Automation Workflow都是美国IBM公司的产品。IBM Business Process Manager是一套综合的业务流程管理平台。该平台为业务的流程建模、组装、监控和部署提供了一系列的相关工具。IBM Business Automation Workflow是一套工作流程自动化解决方案。该产品主要用于工作流程管理、合规性管理，并具有工作流程可见性和可扩展等特点。

IBM BPM和IBM Business Automation Workflow中存在输入验证错误漏洞。该漏洞源于网络系统或产品未对输入的数据进行正确的验证。攻击者可利用该漏洞绕过安全限制并获得对易受攻击系统的未授权访问。

Severity: 中

Patch Name: IBM Business Process Manager和IBM Business Automation Workflow输入验证错误漏洞的补丁

Patch Description:

IBM BPM和IBM Business Automation Workflow中存在输入验证错误漏洞。该漏洞源于网络系统或产品未对输入的数据进行正确的验证。攻击者可利用该漏洞绕过安全限制并获得对易受攻击系统的未授权访问。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www-01.ibm.com/support/docview.wss?uid=ibm10870494

Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-4045

Impacted products

Name
['IBM Business Process Manager 8.5.5.0', 'IBM Business Process Manager 8.6.0.0', 'IBM Business Process Manager 8.5.7.0', 'IBM Business Automation Workflow 18.0.0.0', 'IBM Business Automation Workflow 18.0.0.1', 'IBM Business Automation Workflow 18.0.0.2', 'IBM Business Process Manager 8.5 1', 'IBM Business Process Manager 8.5.0.0', 'IBM Business Process Manager 8.5.0.2', 'IBM Business Process Manager 8.5.6.0', 'IBM Business Process Manager 8.5.6.0 CF 2', 'IBM Business Process Manager 8.5.7.0 CF 2016.12', 'IBM Business Process Manager 8.5.7.0 CF 2017.03', 'IBM Business Process Manager 8.5.7.0 CF 2017.06', 'IBM Business Process Manager 8.6.0.0 CF 2018.03']

Name

['IBM Business Process Manager 8.5.5.0', 'IBM Business Process Manager 8.6.0.0', 'IBM Business Process Manager 8.5.7.0', 'IBM Business Automation Workflow 18.0.0.0', 'IBM Business Automation Workflow 18.0.0.1', 'IBM Business Automation Workflow 18.0.0.2', 'IBM Business Process Manager 8.5 1', 'IBM Business Process Manager 8.5.0.0', 'IBM Business Process Manager 8.5.0.2', 'IBM Business Process Manager 8.5.6.0', 'IBM Business Process Manager 8.5.6.0 CF 2', 'IBM Business Process Manager 8.5.7.0 CF 2016.12', 'IBM Business Process Manager 8.5.7.0 CF 2017.03', 'IBM Business Process Manager 8.5.7.0 CF 2017.06', 'IBM Business Process Manager 8.6.0.0 CF 2018.03']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108471"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-4045",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-4045"
    }
  },
  "description": "IBM Business Process Manager\uff08BPM\uff09\u548cIBM Business Automation Workflow\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Business Process Manager\u662f\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4e1a\u52a1\u7684\u6d41\u7a0b\u5efa\u6a21\u3001\u7ec4\u88c5\u3001\u76d1\u63a7\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u7cfb\u5217\u7684\u76f8\u5173\u5de5\u5177\u3002IBM Business Automation Workflow\u662f\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5de5\u4f5c\u6d41\u7a0b\u7ba1\u7406\u3001\u5408\u89c4\u6027\u7ba1\u7406\uff0c\u5e76\u5177\u6709\u5de5\u4f5c\u6d41\u7a0b\u53ef\u89c1\u6027\u548c\u53ef\u6269\u5c55\u7b49\u7279\u70b9\u3002\n\nIBM BPM\u548cIBM Business Automation Workflow\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u5e76\u83b7\u5f97\u5bf9\u6613\u53d7\u653b\u51fb\u7cfb\u7edf\u7684\u672a\u6388\u6743\u8bbf\u95ee\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www-01.ibm.com/support/docview.wss?uid=ibm10870494",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-19865",
  "openTime": "2020-03-28",
  "patchDescription": "IBM Business Process Manager\uff08BPM\uff09\u548cIBM Business Automation Workflow\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Business Process Manager\u662f\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4e1a\u52a1\u7684\u6d41\u7a0b\u5efa\u6a21\u3001\u7ec4\u88c5\u3001\u76d1\u63a7\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u7cfb\u5217\u7684\u76f8\u5173\u5de5\u5177\u3002IBM Business Automation Workflow\u662f\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5de5\u4f5c\u6d41\u7a0b\u7ba1\u7406\u3001\u5408\u89c4\u6027\u7ba1\u7406\uff0c\u5e76\u5177\u6709\u5de5\u4f5c\u6d41\u7a0b\u53ef\u89c1\u6027\u548c\u53ef\u6269\u5c55\u7b49\u7279\u70b9\u3002\r\n\r\nIBM BPM\u548cIBM Business Automation Workflow\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u5e76\u83b7\u5f97\u5bf9\u6613\u53d7\u653b\u51fb\u7cfb\u7edf\u7684\u672a\u6388\u6743\u8bbf\u95ee\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Business Process Manager\u548cIBM Business Automation Workflow\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Business Process Manager 8.5.5.0",
      "IBM Business Process Manager 8.6.0.0",
      "IBM Business Process Manager 8.5.7.0",
      "IBM Business Automation Workflow 18.0.0.0",
      "IBM Business Automation Workflow 18.0.0.1",
      "IBM Business Automation Workflow 18.0.0.2",
      "IBM Business Process Manager 8.5 1",
      "IBM Business Process Manager 8.5.0.0",
      "IBM Business Process Manager 8.5.0.2",
      "IBM Business Process Manager 8.5.6.0",
      "IBM Business Process Manager 8.5.6.0 CF 2",
      "IBM Business Process Manager 8.5.7.0 CF 2016.12",
      "IBM Business Process Manager 8.5.7.0 CF 2017.03",
      "IBM Business Process Manager 8.5.7.0 CF 2017.06",
      "IBM Business Process Manager 8.6.0.0 CF 2018.03"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-4045",
  "serverity": "\u4e2d",
  "submitTime": "2019-07-05",
  "title": "IBM Business Process Manager\u548cIBM Business Automation Workflow\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2019-4045 (GCVE-0-2019-4045)

Vulnerability from cvelistv5

Published

2019-04-08 14:50

Modified

2024-09-17 01:56

Severity ?

4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CWE

Gain Access

Summary

IBM Business Automation Workflow and IBM Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document. IBM X-Force ID: 156241.

References

▼	URL	Tags
	https://www.ibm.com/support/docview.wss?uid=ibm10870494	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/156241	vdb-entry, x_refsource_XF

Impacted products

	Vendor	Product	Version
	IBM	Business Automation Workflow	Version: 18.0.0.0 Version: 18.0.0.1 Version: 18.0.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:26:27.946Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/docview.wss?uid=ibm10870494"
          },
          {
            "name": "ibm-bpm-cve20194045-gain-access (156241)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/156241"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Business Automation Workflow",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "18.0.0.0"
            },
            {
              "status": "affected",
              "version": "18.0.0.1"
            },
            {
              "status": "affected",
              "version": "18.0.0.2"
            }
          ]
        }
      ],
      "datePublic": "2019-04-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Business Automation Workflow and IBM Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document. IBM X-Force ID: 156241."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 3.8,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/S:U/UI:N/AC:L/C:N/A:N/PR:L/I:L/RC:C/RL:O/E:U",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Gain Access",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-08T14:50:38",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/docview.wss?uid=ibm10870494"
        },
        {
          "name": "ibm-bpm-cve20194045-gain-access (156241)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/156241"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2019-04-04T00:00:00",
          "ID": "CVE-2019-4045",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Business Automation Workflow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "18.0.0.0"
                          },
                          {
                            "version_value": "18.0.0.1"
                          },
                          {
                            "version_value": "18.0.0.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Business Automation Workflow and IBM Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document. IBM X-Force ID: 156241."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "N",
              "AC": "L",
              "AV": "N",
              "C": "N",
              "I": "L",
              "PR": "L",
              "S": "U",
              "UI": "N"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Gain Access"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/docview.wss?uid=ibm10870494",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 870494 (Business Automation Workflow)",
              "url": "https://www.ibm.com/support/docview.wss?uid=ibm10870494"
            },
            {
              "name": "ibm-bpm-cve20194045-gain-access (156241)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/156241"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2019-4045",
    "datePublished": "2019-04-08T14:50:38.084656Z",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-09-17T01:56:35.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted