CVE-2024-28087 — Bonitasoft Runtime Community edition's contains an insecure direct object refere

描述

In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.

如何修補 CVE-2024-28087

要修補 CVE-2024-28087,請將受影響套件升級到下列已修補版本。

—升級至 10.1.0.W11 或更新版本

CVE-2024-28087 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 10.1.0.W11

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28087
PATCHgithub.com/bonitasoft/bonita-engine
WEBdocumentation.bonitasoft.com/bonita/2024.1/release-notes#_fixes_in_bonita_2024_1_u0_2024_04_11
WEBdocumentation.bonitasoft.com/bonita/latest/release-notes#_fixes_in_bonita_2024_1_2024_04_11