CVE-2025-48881

{"id": "CVE-2025-48881", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 2.8}]}, "published": "2025-05-30T06:15:28.327", "references": [{"url": "https://github.com/valtimo-platform/valtimo-backend-libraries/commit/6ab04b30d3dab816bfea32d40ba50e5dd4517272", "source": "security-advisories@github.com"}, {"url": "https://github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-965r-9cg9-g42p", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality."}, {"lang": "es", "value": "Valtimo es una plataforma para la automatizaci\u00f3n de procesos de negocio. En las versiones 11.0.0.RELEASE a 11.3.3.RELEASE y 12.0.0.RELEASE a 12.12.0.RELEASE, todos los objetos con configuraci\u00f3n de gesti\u00f3n de objetos pueden ser listados, visualizados, editados, creados o eliminados por usuarios no autorizados. Si las URL de los objetos se exponen a trav\u00e9s de otros canales, su contenido puede visualizarse independientemente de la configuraci\u00f3n de gesti\u00f3n de objetos. En el momento de la publicaci\u00f3n, no se conocen parches. Una soluci\u00f3n alternativa para este problema consiste en anular la seguridad del endpoint, tal como se define en ObjectenApiHttpSecurityConfigurer y ObjectManagementHttpSecurityConfigurer. Dependiendo de la implementaci\u00f3n, esto podr\u00eda provocar la p\u00e9rdida de funcionalidad."}], "lastModified": "2025-06-04T21:15:40.263", "sourceIdentifier": "security-advisories@github.com"}