CVE-2025-36360
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-18
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | devops_deploy | From 8.0.0.0 (inc) to 8.0.1.11 (exc) |
| ibm | devops_deploy | From 8.1.0.0 (inc) to 8.1.2.4 (exc) |
| ibm | urbancode_deploy | From 7.1.0.0 (inc) to 7.1.2.28 (exc) |
| ibm | urbancode_deploy | From 7.2.0.0 (inc) to 7.2.3.21 (exc) |
| ibm | urbancode_deploy | From 7.3.0.0 (inc) to 7.3.2.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can potentially allow unauthorized access to sessions by reusing a session from a new IP address before the original session is invalidated. This could lead to low impact on confidentiality, integrity, and availability of the affected system, as indicated by the CVSS score. [1]
What immediate steps should I take to mitigate this vulnerability?
IBM recommends upgrading affected IBM UrbanCode Deploy and IBM DevOps Deploy versions to the fixed versions: 7.1.2.28, 7.2.3.21, 7.3.2.16, 8.0.1.11, 8.1.2.4, 8.2.0.0 or later. No workarounds or mitigations are provided. [1]
Can you explain this vulnerability to me?
This vulnerability is a race condition in the HTTP session client-IP binding enforcement in IBM UrbanCode Deploy and IBM DevOps Deploy. It allows a session to be briefly reused from a different IP address before the original session is invalidated, potentially enabling unauthorized access under certain network conditions. [1]