CVE-2024-28087 – org.bonitasoft.engine:bonita-server

Package

Manager: maven
Name: org.bonitasoft.engine:bonita-server
Vulnerable Version: >=0 <10.1.0.w11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00064 pctl0.20283

Details

Bonitasoft Runtime Community edition's contains an insecure direct object references vulnerability In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.

Metadata

Created: 2024-05-15T18:30:35Z
Modified: 2024-09-05T18:38:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-76v2-48w6-crxr/GHSA-76v2-48w6-crxr.json
CWE IDs: ["CWE-284", "CWE-639"]
Alternative ID: GHSA-76v2-48w6-crxr
Finding: F039
Auto approve: 1