{
  "threat_severity" : "Moderate",
  "public_date" : "2015-02-17T00:00:00Z",
  "bugzilla" : {
    "description" : "Workbench: Insufficient authorization constraints",
    "id" : "1169545",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1169545"
  },
  "cvss" : {
    "cvss_base_score" : "5.5",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:S/C:P/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-285",
  "details" : [ "The default authorization constrains in KIE Workbench 6.0.x allows remote authenticated users to read or write to arbitrary files, bypass intended access restrictions, and possibly have other unspecified impact via unknown vectors.", "It was discovered that the default authorization constrains applied on servelets deployed in the KIE Workbench application were insufficient. A remote, authenticated user without sufficient privileges could use this flaw to upload or download arbitrary files, perform privileged actions that otherwise cannot be accessed, or perform other more complex attacks." ],
  "statement" : "Red Hat JBoss BRMS 5 is now in Phase 3, Extended Life Support, of its life cycle. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
  "acknowledgement" : "Red Hat would like to thank David Jorm for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss BPMS 6.0",
    "release_date" : "2015-02-17T00:00:00Z",
    "advisory" : "RHSA-2015:0234",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.0",
    "package" : "kie-workbench"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.0",
    "release_date" : "2015-02-17T00:00:00Z",
    "advisory" : "RHSA-2015:0235",
    "cpe" : "cpe:/a:redhat:jboss_brms:6.0",
    "package" : "kie-workbench"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "droolsjbpm",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-8115\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8115" ],
  "name" : "CVE-2014-8115",
  "csaw" : false
}