Search criteria

3 vulnerabilities found for UCD - IBM UrbanCode Deploy by IBM

CVE-2026-12085 (GCVE-0-2026-12085)

Vulnerability from cvelistv5 – Published: 2026-06-30 19:38 – Updated: 2026-07-01 14:01
VLAI?
Title
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability
Summary
IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
CWE
  • CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
ibm
References
Impacted products
Vendor Product Version
IBM UCD - IBM UrbanCode Deploy Affected: 7.3.0 , ≤ 7.3.2.18 (semver)
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.18:*:*:*:*:*:*:*
Create a notification for this product.
    IBM UCD - IBM DevOps Deploy Affected: 8.0 , ≤ 8.0.1.13 (semver)
Affected: 8.1.0 , ≤ 8.1.2.6 (semver)
Affected: 8.2.0 , ≤ 8.2.1.0 (semver)
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.13:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.1.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12085",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T14:01:22.988510Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T14:01:30.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.18:*:*:*:*:*:*:*"
          ],
          "product": "UCD - IBM UrbanCode Deploy",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "7.3.2.18",
              "status": "affected",
              "version": "7.3.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.13:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.1.0:*:*:*:*:*:*:*"
          ],
          "product": "UCD - IBM DevOps Deploy",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "8.0.1.13",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.1.2.6",
              "status": "affected",
              "version": "8.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.2.1.0",
              "status": "affected",
              "version": "8.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.\u003c/p\u003e"
            }
          ],
          "value": "IBM UCD - IBM UrbanCode Deploy 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 IBM DevOps Deploy could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T19:38:19.293Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7277577"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM strongly suggests the following:\u003c/p\u003e\u003cp\u003eUpgrade affected versions to any of \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+UrbanCode+Deploy\u0026amp;fixids=7.3.2.19-IBM-UrbanCode-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e7.3.2.19\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+DevOps+Deploy\u0026amp;fixids=8.0.1.14-IBM-DevOps-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e8.0.1.14\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+DevOps+Deploy\u0026amp;fixids=8.1.2.7-IBM-DevOps-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e8.1.2.7\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+DevOps+Deploy\u0026amp;fixids=8.2.2.0-IBM-DevOps-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e8.2.2.0\u003c/a\u003e or later\u003c/p\u003e"
            }
          ],
          "value": "IBM strongly suggests the following:\n\n\n\nUpgrade affected versions to any of  7.3.2.19 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.0.1.14 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.1.2.7 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.2.2.0 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later"
        }
      ],
      "title": "IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2026-12085",
    "datePublished": "2026-06-30T19:38:19.293Z",
    "dateReserved": "2026-06-12T13:20:09.092Z",
    "dateUpdated": "2026-07-01T14:01:30.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12086 (GCVE-0-2026-12086)

Vulnerability from cvelistv5 – Published: 2026-06-30 19:36 – Updated: 2026-07-01 13:24
VLAI?
Title
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Insertion of Sensitive Information into Log File Vulnerability
Summary
IBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user.
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
ibm
References
Impacted products
Vendor Product Version
IBM UCD - IBM UrbanCode Deploy Affected: 7.2.0 , ≤ 7.2.3.23 (semver)
Affected: 7.3.0 , ≤ 7.3.2.18 (semver)
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2.3.23:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.18:*:*:*:*:*:*:*
Create a notification for this product.
    IBM UCD - IBM DevOps Deploy Affected: 8.0 , ≤ 8.0.1.13 (semver)
Affected: 8.1.0 , ≤ 8.1.2.6 (semver)
Affected: 8.2.0 , ≤ 8.2.1.0 (semver)
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.13:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.1.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12086",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T13:24:27.725922Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T13:24:38.890Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2.3.23:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.18:*:*:*:*:*:*:*"
          ],
          "product": "UCD - IBM UrbanCode Deploy",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "7.2.3.23",
              "status": "affected",
              "version": "7.2.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.3.2.18",
              "status": "affected",
              "version": "7.3.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.13:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.2.1.0:*:*:*:*:*:*:*"
          ],
          "product": "UCD - IBM DevOps Deploy",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "8.0.1.13",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.1.2.6",
              "status": "affected",
              "version": "8.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.2.1.0",
              "status": "affected",
              "version": "8.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user.\u003c/p\u003e"
            }
          ],
          "value": "IBM UCD - IBM UrbanCode Deploy 7.2 through 7.2.3.23, and 7.3 through 7.3.2.18 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 stores potentially sensitive information in log files that could be read by a local user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T19:36:28.096Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7277576"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM strongly suggests the following:\u003c/p\u003e\u003cp\u003eUpgrade affected versions to any of \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+UrbanCode+Deploy\u0026amp;fixids=7.2.3.24+-IBM-UrbanCode-Deploy\u0026amp;\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e7.2.3.24\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+UrbanCode+Deploy\u0026amp;fixids=7.3.2.19-IBM-UrbanCode-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e7.3.2.19\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+DevOps+Deploy\u0026amp;fixids=8.0.1.14-IBM-DevOps-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e8.0.1.14\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+DevOps+Deploy\u0026amp;fixids=8.1.2.7-IBM-DevOps-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e8.1.2.7\u003c/a\u003e, \u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ERational\u0026amp;product=ibm/Rational/IBM+DevOps+Deploy\u0026amp;fixids=8.2.2.0-IBM-DevOps-Deploy\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003e8.2.2.0\u003c/a\u003e or later\u003c/p\u003e"
            }
          ],
          "value": "IBM strongly suggests the following:\n\n\n\nUpgrade affected versions to any of  7.2.3.24 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  7.3.2.19 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.0.1.14 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.1.2.7 https://www.ibm.com/support/fixcentral/swg/downloadFixes ,  8.2.2.0 https://www.ibm.com/support/fixcentral/swg/downloadFixes  or later"
        }
      ],
      "title": "IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Insertion of Sensitive Information into Log File Vulnerability",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2026-12086",
    "datePublished": "2026-06-30T19:36:28.096Z",
    "dateReserved": "2026-06-12T13:24:25.610Z",
    "dateUpdated": "2026-07-01T13:24:38.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-36360 (GCVE-0-2025-36360)

Vulnerability from cvelistv5 – Published: 2025-12-15 19:38 – Updated: 2025-12-15 20:30
VLAI?
Title
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Insufficient Session Expiration vulnerability
Summary
IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
ibm
References
Impacted products
Vendor Product Version
IBM UCD - IBM UrbanCode Deploy Affected: 7.1 , ≤ 7.1.2.27 (semver)
Affected: 7.2 , ≤ 7.2.3.20 (semver)
Affected: 7.3 , ≤ 7.3.2.15 (semver)
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.1.2.27:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2.3.20:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.15:*:*:*:*:*:*:*
Create a notification for this product.
    IBM UCD - IBM DevOps Deploy Affected: 8.0 , ≤ 8.0.1.10 (semver)
Affected: 8.1 , ≤ 8.1.2.3 (semver)
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.10:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.3:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36360",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-15T20:30:05.256376Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-15T20:30:18.476Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.1.2.27:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.2.3.20:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_urbancode_deploy:7.3.2.15:*:*:*:*:*:*:*"
          ],
          "product": "UCD - IBM UrbanCode Deploy",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "7.1.2.27",
              "status": "affected",
              "version": "7.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.2.3.20",
              "status": "affected",
              "version": "7.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.3.2.15",
              "status": "affected",
              "version": "7.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.0.1.10:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:ucd___ibm_devops_deploy:8.1.2.3:*:*:*:*:*:*:*"
          ],
          "product": "UCD - IBM DevOps Deploy",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "8.0.1.10",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.1.2.3",
              "status": "affected",
              "version": "8.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.\u003c/p\u003e"
            }
          ],
          "value": "IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613 Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-15T19:39:21.484Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7254661"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes IBM strongly suggests the following: Upgrade affected versions to any of 7.1.2.28 , 7.2.3.21 , 7.3.2.16 , 8.0.1.11 , 8.1.2.4 , 8.2.0.0 or later\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes IBM strongly suggests the following: Upgrade affected versions to any of 7.1.2.28 , 7.2.3.21 , 7.3.2.16 , 8.0.1.11 , 8.1.2.4 , 8.2.0.0 or later"
        }
      ],
      "title": "IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Insufficient Session Expiration vulnerability",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-36360",
    "datePublished": "2025-12-15T19:38:57.832Z",
    "dateReserved": "2025-04-15T21:16:55.331Z",
    "dateUpdated": "2025-12-15T20:30:18.476Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}