{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-12-23T00:00:00", "descriptions": [{"lang": "en", "value": "The default authorization constrains in KIE Workbench 6.0.x allows remote authenticated users to read or write to arbitrary files, bypass intended access restrictions, and possibly have other unspecified impact via unknown vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-02-20T15:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2015:0234", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0234.html"}, {"name": "RHSA-2015:0235", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0235.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/droolsjbpm/kie-wb-distributions/commit/90eed433d3"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:10:51.043Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2015:0234", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0234.html"}, {"name": "RHSA-2015:0235", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0235.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/droolsjbpm/kie-wb-distributions/commit/90eed433d3"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-8115", "datePublished": "2015-02-20T16:00:00", "dateReserved": "2014-10-10T00:00:00", "dateUpdated": "2024-08-06T13:10:51.043Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:kie_workbench:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "780D9EFD-2FE7-4F86-B4F7-035E92B4A336", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:kie_workbench:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "52224639-65FA-4BBD-A09E-DB05E202741A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The default authorization constrains in KIE Workbench 6.0.x allows remote authenticated users to read or write to arbitrary files, bypass intended access restrictions, and possibly have other unspecified impact via unknown vectors."}, {"lang": "es", "value": "Las limitaciones de la autorizaci\u00f3n por defecto en KIE Workbench 6.0.x permite a usuarios remotos autenticados leer o escribir a ficheros arbitrarios, evadir las restricciones de acceso, y posiblemente tener otro impacto no especificado a trav\u00e9s de vectores desconocidos."}], "id": "CVE-2014-8115", "lastModified": "2024-11-21T02:18:35.253", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-02-20T16:59:03.290", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0234.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0235.html"}, {"source": "secalert@redhat.com", "url": "https://github.com/droolsjbpm/kie-wb-distributions/commit/90eed433d3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0234.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0235.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/droolsjbpm/kie-wb-distributions/commit/90eed433d3"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank David Jorm for reporting this issue.", "affected_release": [{"advisory": "RHSA-2015:0234", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "kie-workbench", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0235", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "kie-workbench", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-02-17T00:00:00Z"}], "bugzilla": {"description": "Workbench: Insufficient authorization constraints", "id": "1169545", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169545"}, "csaw": false, "cvss": {"cvss_base_score": "5.5", "cvss_scoring_vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "status": "verified"}, "cwe": "CWE-285", "details": ["The default authorization constrains in KIE Workbench 6.0.x allows remote authenticated users to read or write to arbitrary files, bypass intended access restrictions, and possibly have other unspecified impact via unknown vectors.", "It was discovered that the default authorization constrains applied on servelets deployed in the KIE Workbench application were insufficient. A remote, authenticated user without sufficient privileges could use this flaw to upload or download arbitrary files, perform privileged actions that otherwise cannot be accessed, or perform other more complex attacks."], "name": "CVE-2014-8115", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "droolsjbpm", "product_name": "Red Hat JBoss BRMS 5"}], "public_date": "2015-02-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-8115\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8115"], "statement": "Red Hat JBoss BRMS 5 is now in Phase 3, Extended Life Support, of its life cycle. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/", "threat_severity": "Moderate"}