CVE-2014-0908
The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.
View on NVDSeverity
N/A
EPSS
Probability of exploitation (next 30 days): 0.0050 (0.5%)
Percentile: 66.0%
EPSS: 2026-05-06
Affects
ibm:business_process_managerTechnical description
The User Attribute implementation in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information, configure e-mail notifications, or modify task assignments via REST API calls.
Published: 4/10/2014, 11:55:04 PM
Last modified: 5/6/2026, 10:30:45 PM
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505
- http://www-01.ibm.com/support/docview.wss?uid=swg21669330
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91870
- http://www-01.ibm.com/support/docview.wss?uid=swg1JR49505
- http://www-01.ibm.com/support/docview.wss?uid=swg21669330
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91870