Impact
IBM UrbanCode Deploy (UCD) implements Cross-Origin Resource Sharing (CORS) without restricting to trusted domains, allowing an attacker to perform privileged actions and retrieve confidential information. This vulnerability is a classic example of improper domain verification in CORS requests (CWE-942). An attacker could configure a malicious website to issue requests to UCD that the browser will forward, thereby bypassing intended security controls and potentially gaining unauthorized administrative access or leaking sensitive data.
Affected Systems
IBM DevOps Deploy (UCD) versions 8.1 through 8.1.2.6 and 8.2 through 8.2.1.0 are affected. These include the standard builds of IBM UCD in the 8.1 and 8.2 series, and all intermediary patch releases up to the specified versions.
Risk and Exploitability
The CVSS score of 5.4 indicates moderate severity. With no EPSS score available and KEV not listed, there are no publicly confirmed exploit campaigns at this time, but the permissive CORS policy offers a clear attack vector: host a malicious web page that sends privileged requests to the UCD instance. Successful exploitation would allow an attacker to perform actions normally restricted to authenticated users and to read sensitive configuration data. The risk level is moderate, but an organization should consider the potential impact of unauthorized data exposure and take timely action.
OpenCVE Enrichment