CVE-2025-14148
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-18
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | devops_deploy | From 8.1.0.0 (inc) to 8.1.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in IBM DevOps Deploy versions 8.1 through 8.1.2.3 and allows an authenticated user with Large Language Model (LLM) integration configuration privileges to recover a previously saved LLM API token. This means that sensitive credentials are insufficiently protected and can be exposed to users who have certain configuration privileges. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is that an authenticated user with specific privileges can obtain a previously saved LLM API token, potentially exposing sensitive credentials. This can lead to unauthorized access to LLM services or data that the token protects. The confidentiality of the system is highly impacted, although integrity and availability are not affected. [1]
What immediate steps should I take to mitigate this vulnerability?
IBM recommends upgrading affected IBM DevOps Deploy versions 8.1 through 8.1.2.3 to version 8.1.2.4, 8.2.0.0, or later to remediate this vulnerability. No workarounds or mitigations are provided. [1]