CVE-2024-22348
Published: 20 January 2025
Description
IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 through 4.0. 25 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
Security Summary
CVE-2024-22348 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability affecting IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity versions 4.0.0 through 4.0.25. The flaw arises because the software does not limit the domain name to only trusted domains, enabling improper CORS policies. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is associated with CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The vulnerability was published on 2025-01-20.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to carry out privileged actions and retrieve sensitive information by bypassing intended CORS restrictions.
IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7172750 providing details on the vulnerability, affected versions, and recommended mitigation steps, including applying available patches.
Details
- CWE(s)