CVE-2024-28087: Bonitasoft Runtime Community edition's contains an insecure direct object references vulnerability

May 15, 2024

In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.

References

documentation.bonitasoft.com/bonita/latest/release-notes
github.com/advisories/GHSA-76v2-48w6-crxr
github.com/bonitasoft/bonita-engine
github.com/bonitasoft/bonita-engine/commit/1b3ac00f0178bfcfe8f01811a249b1893f0b1da1
nvd.nist.gov/vuln/detail/CVE-2024-28087

Code Behaviors & Features

Detect and mitigate CVE-2024-28087 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →