CVE-2025-48881 – com.ritense.valtimo:objecten-api

Package

Manager: maven
Name: com.ritense.valtimo:objecten-api
Vulnerable Version: >=11.0.0.release <=11.3.3.release || >=12.0.0.release <12.13.0.release

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00057 pctl0.17713

Details

Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users ### Impact All objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. ### Attack requirements The following conditions have to be met in order to perform this attack: - A user must be logged in - No relevant application roles are required - At least one object-type must be configured via object-management - The scope of the attack is limited to objects that are configured via object-management. - The value of `showInDataMenu` is irrelevant for this attack ### Patches This issue was patched in version 12.13.0.RELEASE. ### Workarounds It is possible to override the endpoint security as defined in `ObjectenApiHttpSecurityConfigurer` and `ObjectManagementHttpSecurityConfigurer`. Depending on the implementation, this could result in loss of functionality.

Metadata

Created: 2025-05-28T14:38:54Z
Modified: 2025-06-04T20:48:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-965r-9cg9-g42p/GHSA-965r-9cg9-g42p.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-965r-9cg9-g42p
Finding: F006
Auto approve: 1