Bug 1169545 (CVE-2014-8115) - CVE-2014-8115 KIE Workbench: Insufficient authorization constraints
Summary: CVE-2014-8115 KIE Workbench: Insufficient authorization constraints
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8115
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1169562 1169563 1169564 1169565 1169566 1169567
Blocks: 1168481 1181883
TreeView+ depends on / blocked
 
Reported: 2014-12-02 01:04 UTC by Pavel Polischouk
Modified: 2019-09-29 13:24 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the default authorization constrains applied on servelets deployed in the KIE Workbench application were insufficient. A remote, authenticated user without sufficient privileges could use this flaw to upload or download arbitrary files, perform privileged actions that otherwise cannot be accessed, or perform other more complex attacks.
Clone Of:
Environment:
Last Closed: 2015-02-17 23:34:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0234 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC

Description Pavel Polischouk 2014-12-02 01:04:11 UTC
It was discovered that the default authorization constrains applied on servelets deployed in the KIE Workbench application were insufficient. A remote, authenticated user without sufficient privileges could use this flaw to upload or download arbitrary files, perform privileged actions that otherwise cannot be accessed, or perform other more complex attacks.

Comment 1 Pavel Polischouk 2014-12-02 01:57:58 UTC
Acknowledgements:

Red Hat would like to thank David Jorm for reporting this issue.

Comment 5 Pavel Polischouk 2015-01-30 16:14:03 UTC
Statement:

Red Hat JBoss BRMS 5 is now in Phase 3, Extended Life Support, of its life cycle. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 6 errata-xmlrpc 2015-02-17 22:31:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 7 errata-xmlrpc 2015-02-17 22:36:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html


Note You need to log in before you can comment on or make changes to this bug.