CVE-2024-55904

CVE-2024-55904 is an OS command injection vulnerability (CWE-78) present in IBM DevOps Deploy versions 8.0 through 8.0.1.4 and 8.1 through 8.1.0.0, as well as IBM UrbanCode Deploy versions 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.9. The flaw enables a remote privileged authenticated attacker to execute arbitrary commands on the affected system by sending specially crafted input containing special elements. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts across confidentiality, integrity, and availability.

Exploitation requires a remote attacker to possess privileged authenticated access (PR:H) to the deployment platform. By crafting input with specific elements, the attacker can inject and execute arbitrary operating system commands on the server hosting the software, potentially leading to full system compromise within the context of the application's privileges.

IBM has published a security advisory detailing the vulnerability and available patches at https://www.ibm.com/support/pages/node/7182841. Security practitioners should consult this bulletin for version-specific remediation instructions and upgrade guidance.