CVE-2025-48881 Information

May 31, 2025 cve

Description

Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE all objects for which an object-management configuration exists can be listed viewed edited created or deleted by unauthorised users. If object-urls are exposed via other channels the contents of these objects can be viewed independent of object-management configurations. At time of publication no known patches exist. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation this could result in loss of functionality.

Reference

https://github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-965r-9cg9-g42p Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE all objects for which an object-management configuration exists can be listed viewed edited created or deleted by unauthorised users. If object-urls are exposed via other channels the contents of these objects can be viewed independent of object-management configurations. At time of publication no known patches exist.

A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation this could result in loss of functionality.

Share on: