CVE-2015-0110

IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL.

Published: Sep 15, 2017
Updated: Apr 13, 2023
CVE: CVE-2015-0110
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
ibm / business_process_manager	8.5.0.0	8.5.0.0.x
ibm / business_process_manager	7.5.0.0	7.5.0.0.x
ibm / business_process_manager	8.0.1.0	8.0.1.0.x
ibm / business_process_manager	8.0.1.1	8.0.1.1.x
ibm / business_process_manager	8.5.5.0	8.5.5.0.x
ibm / business_process_manager	8.0.1.3	8.0.1.3.x
ibm / business_process_manager	7.5.1.2	7.5.1.2.x
ibm / business_process_manager	7.5.1.1	7.5.1.1.x
ibm / business_process_manager	8.5.0.1	8.5.0.1.x
ibm / business_process_manager	7.5.1.0	7.5.1.0.x
ibm / business_process_manager	8.0.0.0	8.0.0.0.x
ibm / business_process_manager	8.0.1.2	8.0.1.2.x
ibm / business_process_manager	7.5.0.1	7.5.0.1.x
ibm / websphere_application_server	7.2.0.3	7.2.0.3.x
ibm / websphere_application_server	7.2.0.1	7.2.0.1.x
ibm / websphere_application_server	7.2.0.2	7.2.0.2.x
ibm / websphere_application_server	7.2.0.5	7.2.0.5.x
ibm / websphere_application_server	7.2.0.4	7.2.0.4.x
ibm / websphere_application_server	7.2.0.0	7.2.0.0.x

Vulnerability Database

290,206

CVE-2015-0110