SecuriTricks - CVE-2025-36360

Description

IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.

Product(s) Impacted

Vendor	Product	Versions
Ibm	Devops Deploy Urbancode Deploy	* *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-613

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	ibm	devops_deploy	/	/	/	/	/	/	/	/
a	ibm	devops_deploy	/	/	/	/	/	/	/	/
a	ibm	urbancode_deploy	/	/	/	/	/	/	/	/
a	ibm	urbancode_deploy	/	/	/	/	/	/	/	/
a	ibm	urbancode_deploy	/	/	/	/	/	/	/	/

References

https://www.ibm.com/support/pages/node/7254661

CVSS Score

5.0 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

View Vector String

Timeline

Published: Dec. 15, 2025, 8:15 p.m.
Last Modified: Dec. 18, 2025, 6 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

psirt@us.ibm.com

CVE-2025-36360