Name of the Vulnerable Software and Affected Versions:

IBM DevOps Velocity version 5.0.0

IBM UrbanCode Velocity versions 4.0.0 through 4.0.25

Description:

The issue is related to the use of an untrusted cross-domain policy file, which could allow a remote attacker to gain unauthorized access to protected information and elevate their privileges. The software uses Cross-Origin Resource Sharing (CORS), which may permit an attacker to perform privileged actions and retrieve sensitive information because the domain name is not limited to only trusted domains.

Recommendations:

For IBM DevOps Velocity version 5.0.0, update to a version that limits the domain name to only trusted domains.

For IBM UrbanCode Velocity versions 4.0.0 through 4.0.25, update to a version that limits the domain name to only trusted domains.

As a temporary workaround, consider restricting access to the CORS feature until a patch is available.