Impact
The vulnerability allows a local user to read log files that contain potentially sensitive information, such as credentials or confidential deployment details, resulting in confidential data exposure and undermining trust in deployment pipelines. It stems from improper handling of log content, classified as a log file containment weakness.
Affected Systems
IBM DevOps Deploy and IBM UrbanCode Deploy (UCD) are affected. Versions 7.2 through 7.2.3.23 and 7.3 through 7.3.2.18 of IBM UrbanCode Deploy, and versions 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0 of IBM DevOps Deploy. Specific impacted releases include 7.2.3.23, 7.3.2.18, 8.0.1.13, 8.1.2.6, and 8.2.1.0.
Risk and Exploitability
The CVSS score of 6.2 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires local user privileges with access to the log directory, making it a local information disclosure risk. An attacker with such access can read the logs and extract sensitive data; the exploit path is straightforward and does not require advanced skills.
OpenCVE Enrichment