FKIE_CVE-2025-58059

Vulnerability from fkie_nvd - Published: 2025-08-28 18:15 - Updated: 2025-08-29 16:24
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to: running executables on the application host, inspecting and extracting data from the host environment or application properties, spring beans (application context, database pooling). The following conditions have to be met in order to perform this attack: the user must be logged in, have the admin role, and must have some knowledge about running scripts via a the Camunda/Operator engine. Version 12.16.0 and 13.1.2 have been patched. It is strongly advised to upgrade. If no scripting is needed in any of the processes, it could be possible to disable it altogether via the ProcessEngineConfiguration. However, this workaround could lead to unexpected side-effects.
References
security-advisories@github.comhttps://github.com/valtimo-platform/valtimo-backend-libraries/commit/45eb60b0b2df5964fb9917295d0dceb1fff8dd85
security-advisories@github.comhttps://github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-w48j-pp7j-fj55
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to: running executables on the application host, inspecting and extracting data from the host environment or application properties, spring beans (application context, database pooling). The following conditions have to be met in order to perform this attack: the user must be logged in, have the admin role, and must have some knowledge about running scripts via a the Camunda/Operator engine. Version 12.16.0 and 13.1.2 have been patched. It is strongly advised to upgrade. If no scripting is needed in any of the processes, it could be possible to disable it altogether via the ProcessEngineConfiguration. However, this workaround could lead to unexpected side-effects."
    },
    {
      "lang": "es",
      "value": "Valtimo es una plataforma para la Automatizaci\u00f3n de Procesos de Negocio. En versiones anteriores a la 12.16.0.RELEASE, y desde la 13.0.0.RELEASE hasta la 13.1.2.RELEASE, cualquier administrador que pueda crear o modificar y ejecutar definiciones de procesos podr\u00eda obtener acceso a datos o recursos sensibles. Esto incluye, entre otros: ejecutar archivos ejecutables en el host de la aplicaci\u00f3n, inspeccionar y extraer datos del entorno del host o de las propiedades de la aplicaci\u00f3n, beans de Spring (contexto de la aplicaci\u00f3n, pooling de la base de datos). Las siguientes condiciones deben cumplirse para realizar este ataque: el usuario debe haber iniciado sesi\u00f3n, tener el rol de administrador, y debe tener alg\u00fan conocimiento sobre la ejecuci\u00f3n de scripts a trav\u00e9s del motor Camunda/Operator. La versi\u00f3n 12.16.0 y la 13.1.2 han sido parcheadas. Se recomienda encarecidamente actualizar. Si no se necesita scripting en ninguno de los procesos, podr\u00eda ser posible deshabilitarlo por completo a trav\u00e9s de la ProcessEngineConfiguration. Sin embargo, esta soluci\u00f3n alternativa podr\u00eda provocar efectos secundarios inesperados."
    }
  ],
  "id": "CVE-2025-58059",
  "lastModified": "2025-08-29T16:24:29.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-28T18:15:33.850",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/valtimo-platform/valtimo-backend-libraries/commit/45eb60b0b2df5964fb9917295d0dceb1fff8dd85"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-w48j-pp7j-fj55"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.