Security vulnerabilities have been reported for some dependent Node.js modules. IBM Business Process Manager includes a stand-alone tool for editing configuration properties files that is based on open source Node.js technology.
CVE-ID: CVE-2014-6394
Description: Node.js
might allow a remote attacker to traverse directories on the system. An attacker might send a specially crafted URL request that contains directory traversal sequences to view arbitrary files on the system.
CVSS Base Score: 5.0
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/96727> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-7191
Description: Node.js
is vulnerable to a denial of service, which is caused by an error in the qs module when parsing a string representing a deeply nested object. An attacker might exploit this vulnerability to block the event loop for an extended period of time and cause a denial of service.
CVSS Base Score: 5.0
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/96729> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
* IBM Business Process Manager Express V8.5.5
* IBM Business Process Manager Standard V8.5.5
* IBM Business Process Manager Advanced V8.5.5
Install IBM Business Process Manager interim fix JR51491 as appropriate for your current IBM Business Process Manager.
IBM BPM Configuration Editor is a stand-alone tool that is shipped as a zip archive. Vulnerabilities can only be exploited after unzipping and starting the server part of the tool. As a work around, you can use any usual text editor to work with IBM BPM configuration properties files.