CVE-2025-36360Insufficient Session Expiration in IBM Devops Deploy

CWE-613Insufficient Session Expiration3 documents3 sources
Severity
5.0MEDIUMNVD
EPSS
0.1%
top 75.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
IBM Devops DeployIBM Urbancode DeployIBM UCD IBM Devops Deploy+1 more
Timeline
PublishedDec 15

Description

IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages4 packages

NVDibm/devops_deploy8.0.0.08.0.1.11+1
NVDibm/urbancode_deploy7.1.0.07.1.2.28+2
CVEListV5ibm/ucd_ibm_devops_deploy8.08.0.1.10+1
CVEListV5ibm/ucd_ibm_urbancode_deploy7.17.1.2.27+2

🔴Vulnerability Details

2
CVEList
IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Insufficient Session Expiration vulnerability2025-12-15
GHSA
GHSA-x855-7vwp-xj8v: IBM UCD - IBM UrbanCode Deploy 72025-12-15
CVE-2025-36360 — Insufficient Session Expiration in IBM | cvebase