Impact
The vulnerability allows an attacker who can authenticate to IBM UCD to receive API responses that contain configuration data and secrets. Exposing such sensitive information is a direct data disclosure flaw that could be used by a malicious actor to launch further attacks against the system.
Affected Systems
IBM DevOps Deploy versions 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0, as well as IBM UrbanCode Deploy versions 7.3 through 7.3.2.18 contain the affected API endpoints.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so public exploitation data is lacking. Attackers would need valid credentials to access the API, limiting the attack to authenticated users, but once the sensitive data is disclosed, it can be leveraged for privilege escalation or targeted attacks. The overall risk is medium, but patching is advised.
OpenCVE Enrichment