/server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
The /server/executeExec endpoint in JEHC-BPM 2.0.1 accepts execution parameters (execParams) without required authorization and without proper input data validation (CWE-862: missing authorization). An attacker can send a crafted network request containing malicious execParams, which are then executed on the server side. The vulnerability is remotely accessible, requires no authentication, and requires no user interaction.
An attacker can gain full control over the server by executing arbitrary code with the privileges of the application process, which may lead to data theft, installation of backdoors, or complete system compromise. Due to the scope of impact covering confidentiality, integrity, and availability, the consequences may also affect related systems (Scope: Changed).
Apply patches available from the vendor according to the references. Until the fix is implemented, it is recommended to restrict network access to the /server/executeExec endpoint using firewall rules or rules at the application server level, and block access from public networks.
JEHC-BPM version 2.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HJehc Bpm
APPJehc≤ 2.0.1