Due to incorrect authorization for update of process instance variables, users without required permission can update process instance variables in IBM Business Process Manager.
CVEID: CVE-2016-0349**
DESCRIPTION:** IBM Business Process Manager allows authenticated users to update process instance variables by calling a REST API with incorrect authorization checks.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111817 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Install the interim fixes for APAR JR55701 as appropriate for your current IBM Business Process Manager version.
None