Skip to content

Bonitasoft Runtime Community edition's contains an insecure direct object references vulnerability

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

maven org.bonitasoft.engine:bonita-server (Maven)

Affected versions

< 10.1.0.W11

Patched versions

10.1.0.W11

Description

In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.

References

Published by the National Vulnerability Database May 15, 2024
Published to the GitHub Advisory Database May 15, 2024
Last updated May 15, 2024
Reviewed May 15, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2024-28087

GHSA ID

GHSA-76v2-48w6-crxr

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.