Description
Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-965r-9cg9-g42p
Scores
CVSS v3
8.3
EPSS
0.0029
EPSS Percentile
20.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (4)
com.ritense.valtimo/object-management
11.0.0.RELEASEMaven
com.ritense.valtimo/objecten-api
11.0.0.RELEASEMaven
valtimo-platform/valtimo-backend-libraries
>= 11.0.0.RELEASE, <= 11.3.3.RELEASE
valtimo-platform/valtimo-backend-libraries
>= 12.0.0.RELEASE, < 12.13.0.RELEASE
Published
May 30, 2025
Tracked Since
Feb 18, 2026