CVE-2016-9693

Summary

IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. IBM Reference #: 1998655.

Affected Software

VendorProductVersion RangeStatus
IBM CorporationBusiness Process Manager Advanced7.5affected
IBM CorporationBusiness Process Manager Advanced7.5.0.1affected
IBM CorporationBusiness Process Manager Advanced7.5.1affected
IBM CorporationBusiness Process Manager Advanced7.5.1.1affected
IBM CorporationBusiness Process Manager Advanced7.5.1.2affected
IBM CorporationBusiness Process Manager Advanced8.0affected
IBM CorporationBusiness Process Manager Advanced8.0.1affected
IBM CorporationBusiness Process Manager Advanced8.0.1.1affected
IBM CorporationBusiness Process Manager Advanced8.0.1.2affected
IBM CorporationBusiness Process Manager Advanced8.5affected
IBM CorporationBusiness Process Manager Advanced8.5.0.1affected
IBM CorporationBusiness Process Manager Advanced8.5.5affected
IBM CorporationBusiness Process Manager Advanced8.0.1.3affected
IBM CorporationBusiness Process Manager Advanced8.5.6affected
IBM CorporationBusiness Process Manager Advanced8.5.0.2affected
IBM CorporationBusiness Process Manager Advanced8.5.7affected
IBM CorporationBusiness Process Manager Advanced8.5.7.CF201609affected
IBM CorporationBusiness Process Manager Advanced8.5.6.1affected
IBM CorporationBusiness Process Manager Advanced8.5.6.2affected
IBM CorporationBusiness Process Manager Advanced8.5.7.CF201606affected
IBM CorporationBusiness Process Manager Advanced8.5.7.CF201612affected

Weaknesses

  • Gain Access

ADP Enrichment

CVE Program Container

Additional References

References