Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03NnYyLTQ4dzYtY3J4cs4AA8GY

Bonitasoft Runtime Community edition's contains an insecure direct object references vulnerability

In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.

Permalink: https://github.com/advisories/GHSA-76v2-48w6-crxr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NnYyLTQ4dzYtY3J4cs4AA8GY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 3 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-76v2-48w6-crxr, CVE-2024-28087
References:

Repository: https://github.com/bonitasoft/bonita-engine
Blast Radius: 7.6

Affected Packages

maven:org.bonitasoft.engine:bonita-server

Dependent packages: 4
Dependent repositories: 15
Downloads:
Affected Version Ranges: < 10.1.0.W11
Fixed in: 10.1.0.W11
All affected versions:
All unaffected versions: 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.4, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.7.5, 7.8.0, 7.8.1, 7.8.2, 7.8.3, 7.8.4, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.10.0, 7.10.1, 7.10.3, 7.10.4, 7.10.5, 7.10.6, 7.11.0, 7.11.1, 7.11.2, 7.11.3, 7.11.4, 7.12.1, 7.13.0, 7.14.0, 7.15.0, 8.0.0, 9.0.0, 10.0.0, 10.1.0, 10.2.0