JEHC-BPM Remote Command Execution Vulnerability

A remote command execution vulnerability has been identified in JEHC-BPM version 2.0.1. This vulnerability allows attackers to execute arbitrary code by sending crafted parameters to the '/server/executeExec' endpoint. The issue arises from the lack of proper authorization checks, enabling unauthorized users to execute custom commands on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where JEHC-BPM is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/server/executeExec' endpoint. Include a JSON body that contains an 'actuator' object with details such as 'clientIp', 'port', 'applicationName', 'env', 'uploadTime', 'hasPrefixApplicationName', and 'clientHttpPrefix'. Also, add 'execParams' with the command to be executed, such as 'id'. This request can be made using tools like Postman or through a custom script that interacts with the JEHC-BPM application.