CVE-2024-22348

Name of the Vulnerable Software and Affected Versions IBM DevOps Velocity version 5.0.0 IBM UrbanCode Velocity versions 4.0.0 through 4.0.25

Description The issue is related to the use of an untrusted cross-domain policy file, which could allow a remote attacker to gain unauthorized access to protected information and elevate their privileges. The software uses Cross-Origin Resource Sharing (CORS), which may permit an attacker to perform privileged actions and retrieve sensitive information because the domain name is not limited to only trusted domains.

Recommendations For IBM DevOps Velocity version 5.0.0, update to a version that limits the domain name to only trusted domains. For IBM UrbanCode Velocity versions 4.0.0 through 4.0.25, update to a version that limits the domain name to only trusted domains. As a temporary workaround, consider restricting access to the CORS feature until a patch is available.