Valtimo Object Management Unauthorized Access Vulnerability

A vulnerability in Valtimo's Business Process Automation platform allows unauthorized users to list, view, edit, create, or delete objects managed through the object's management configuration. This issue affects Valtimo versions 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE. If object URLs are shared through other channels, the contents of these objects can be accessed regardless of the object management settings.

Impact

Exploitation of this vulnerability allows unauthorized users to manipulate objects within the application, including creating, editing, or deleting them. Additionally, it enables access to object contents through exposed URLs, bypassing object management configurations.

Remediation

As of now, no patch is available for this vulnerability. However, it is possible to override the endpoint security settings defined in 'ObjectenApiHttpSecurityConfigurer' and 'ObjectManagementHttpSecurityConfigurer'. This workaround may lead to a loss of functionality.