Impact
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 fail to invalidate session IDs after they expire, allowing an authenticated user who has previously obtained a session to continue using that session to act as another user. The vulnerability is a classic session fixation issue that gives an adversary the ability to impersonate legitimate users, potentially accessing sensitive data or performing privileged actions on the platform.
Affected Systems
The affected systems are IBM DevOps Automation version 1.0.1 and IBM DevOps Loop version 1.0.2. No further sub‑release details are provided beyond the major/minor numbers listed in the CNA data.
Risk and Exploitability
The CVSS score of 8.1 reflects a high‑severity misuse with potential for unauthorized access. EPSS data is not available, so the likelihood of exploitation cannot be quantified, but the absence of a KEV listing suggests no confirmed exploit in the wild as of the data set. The likely attack vector requires an attacker to possess valid credentials or an existing authenticated session; from there, the attacker can reuse the expired session to hijack another user's account.
OpenCVE Enrichment