Valtimo Business Process Automation Platform Scripting Engine Vulnerability Allowing Access to Sensitive Data

A vulnerability exists in the Valtimo platform for Business Process Automation, specifically in versions prior to 12.16.0.RELEASE and from 13.0.0.RELEASE to before 13.1.2.RELEASE. The issue allows any admin with the ability to create, modify, and execute process definitions to access sensitive data or resources. This access includes the ability to run executables on the application host, inspect and extract data from the host environment or application properties, and access Spring beans related to the application context and database pooling. Exploitation requires the user to be logged in, hold the admin role, and have knowledge of running scripts via the Camunda/Operator engine.

Impact

Successful exploitation allows unauthorized access to sensitive data and resources, including the execution of scripts that could manipulate the application host or extract confidential information from the application environment or properties.

Reproduction

To reproduce this vulnerability, an admin user must log into the Valtimo platform and create a process definition that includes a script task. The script task can be configured to access sensitive data or resources, such as application properties or Spring beans. Once the process definition is saved, it can be executed, triggering the script task and exposing the sensitive data or resources.

Remediation

Users are advised to upgrade to Valtimo version 12.16.0.RELEASE or 13.1.2.RELEASE, both of which include patches for this vulnerability. If scripting is not needed in any processes, it may be possible to disable the script engine via the ProcessEngineConfiguration, although this could lead to unexpected side effects.