CVE-2024-28087 — Bonitasoft Runtime Community edition's contains an insecure direct object refere

Description

In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.

How to fix CVE-2024-28087

To remediate CVE-2024-28087, upgrade the affected package to a fixed version below.

—upgrade to 10.1.0.W11 or later

Is CVE-2024-28087 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 10.1.0.W11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28087
PATCHgithub.com/bonitasoft/bonita-engine
WEBdocumentation.bonitasoft.com/bonita/2024.1/release-notes#_fixes_in_bonita_2024_1_u0_2024_04_11
WEBdocumentation.bonitasoft.com/bonita/latest/release-notes#_fixes_in_bonita_2024_1_2024_04_11