CVE-2024-22334

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/279974	VDB Entry
https://www.ibm.com/support/pages/node/7148112	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/279974	VDB Entry
https://www.ibm.com/support/pages/node/7148112	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:devops_deploy::::::::
	cpe:2.3:a:ibm:urbancode_deploy::::::::
	cpe:2.3:a:ibm:urbancode_deploy::::::::
	cpe:2.3:a:ibm:urbancode_deploy::::::::

History

29 Jan 2025, 21:27

Type	Values Removed	Values Added
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/279974 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/279974 - VDB Entry
References	~~() https://www.ibm.com/support/pages/node/7148112 -~~	() https://www.ibm.com/support/pages/node/7148112 - Vendor Advisory
First Time		Ibm urbancode Deploy Ibm Ibm devops Deploy
CPE		cpe:2.3:a:ibm:devops_deploy:::::::: cpe:2.3:a:ibm:urbancode_deploy::::::::

Information

Published : 2024-04-12 17:17

Updated : 2025-01-29 21:27

NVD link : CVE-2024-22334

Mitre link : CVE-2024-22334

CVE.ORG link : CVE-2024-22334

JSON object : View

Products Affected

ibm

urbancode_deploy
devops_deploy

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2024-22334", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.7}]}, "published": "2024-04-12T17:17:21.300", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974", "tags": ["VDB Entry"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/7148112", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974", "tags": ["VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ibm.com/support/pages/node/7148112", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@us.ibm.com", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974."}, {"lang": "es", "value": "IBM UrbanCode Deploy (UCD) 7.0 a 7.0.5.20, 7.1 a 7.1.2.16, 7.2 a 7.2.3.9, 7.3 a 7.3.2.4 e IBM DevOps Deploy 8.0 a 8.0.0.1 podr\u00edan ser vulnerables a una revocaci\u00f3n incompleta de permisos al eliminar un tipo de recurso de seguridad. Al eliminar un tipo de seguridad personalizado, es posible que los permisos asociados de los objetos que usan ese tipo no se revoquen por completo. Esto podr\u00eda dar lugar a informes incorrectos de la configuraci\u00f3n de permisos y a la retenci\u00f3n de privilegios inesperados. ID de IBM X-Force: 279974."}], "lastModified": "2025-01-29T21:27:26.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:devops_deploy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6EE6B16-69D2-4346-BA42-C2C802747BDC", "versionEndExcluding": "8.0.1.0", "versionStartIncluding": "8.0.0.0"}, {"criteria": "cpe:2.3:a:ibm:urbancode_deploy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9CDB4B82-A3E1-4905-9372-1C95FE4A1AA1", "versionEndExcluding": "7.0.5.21", "versionStartIncluding": "7.0.0.0"}, {"criteria": "cpe:2.3:a:ibm:urbancode_deploy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "015364EF-C0CE-408E-A2C5-3A011C689EAE", "versionEndExcluding": "7.1.2.17", "versionStartIncluding": "7.1.0.0"}, {"criteria": "cpe:2.3:a:ibm:urbancode_deploy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF86D6F3-550E-4E89-83E8-014089803E4E", "versionEndExcluding": "7.2.3.10", "versionStartIncluding": "7.2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}