CVE-2025-36360
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-18

Assigner: IBM Corporation

Description
IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36360
EUVD
EUVD-2025-203434
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
ibm devops_deploy From 8.0.0.0 (inc) to 8.0.1.11 (exc)
ibm devops_deploy From 8.1.0.0 (inc) to 8.1.2.4 (exc)
ibm urbancode_deploy From 7.1.0.0 (inc) to 7.1.2.28 (exc)
ibm urbancode_deploy From 7.2.0.0 (inc) to 7.2.3.21 (exc)
ibm urbancode_deploy From 7.3.0.0 (inc) to 7.3.2.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

IBM recommends upgrading affected IBM UrbanCode Deploy and IBM DevOps Deploy versions to the fixed versions: 7.1.2.28, 7.2.3.21, 7.3.2.16, 8.0.1.11, 8.1.2.4, 8.2.0.0 or later. No workarounds or mitigations are provided. [1]

Executive Summary

This vulnerability is a race condition in the HTTP session client-IP binding enforcement in IBM UrbanCode Deploy and IBM DevOps Deploy. It allows a session to be briefly reused from a different IP address before the original session is invalidated, potentially enabling unauthorized access under certain network conditions. [1]

Impact Analysis

The vulnerability can potentially allow unauthorized access to sessions by reusing a session from a new IP address before the original session is invalidated. This could lead to low impact on confidentiality, integrity, and availability of the affected system, as indicated by the CVSS score. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart