CVE-2014-4758
Description
IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.x allow remote authenticated users to bypass intended access restrictions and send requests to internal services via a callService URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM BPM and WebSphere Lombardi Edition allow authenticated users to access internal services via callService URL, bypassing access restrictions.
Vulnerability
IBM Business Process Manager (BPM) versions 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.x contain a missing access restriction on service types when invoking a service via the callService URL. This allows remote authenticated users to access services that were intended for internal use only [1].
Exploitation
An attacker must be authenticated to the affected system. By crafting a callService URL, the attacker can send requests to internal services that are not normally exposed to external users. No additional privileges or user interaction are required beyond valid authentication [1].
Impact
Successful exploitation enables the attacker to bypass intended access restrictions and interact with internal services. This can lead to unauthorized actions, such as information disclosure or modification of data, depending on the functionality of the exposed service. The CVSS score of 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) indicates a partial integrity impact with no confidentiality or availability impact [1].
Mitigation
IBM has not provided a workaround for this vulnerability. The security bulletin [1] recommends applying the fix provided by IBM. Affected organizations should upgrade to a patched version as specified in the bulletin. No known exploitation in the wild has been reported at the time of publication.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:ibm:business_process_manager:7.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:7.5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:business_process_manager:8.5.5.0:*:*:*:*:*:*:*
- (no CPE)range: >=7.5, <=8.5.5
cpe:2.3:a:ibm:websphere_application_server:7.2.0.1:-:lombardi:*:*:*:*:*+ 5 more
- cpe:2.3:a:ibm:websphere_application_server:7.2.0.1:-:lombardi:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.2.0.2:-:lombardi:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.2.0.3:-:lombardi:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.2.0.4:-:lombardi:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.2.0.5:-:lombardi:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.2:*:lombardi:*:*:*:*:*
- Range: 7.2.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.