What is the severity of CVE-2024-22358?

CVE-2024-22358 has a medium severity rating due to its potential to allow unauthorized session access.

How do I fix CVE-2024-22358?

To fix CVE-2024-22358, upgrade the affected IBM UrbanCode Deploy or IBM DevOps Deploy products to a version that includes the necessary security patches.

What versions of IBM UrbanCode Deploy are affected by CVE-2024-22358?

CVE-2024-22358 affects IBM UrbanCode Deploy versions 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, and 7.3 through 7.3.2.4.

Can authenticated users exploit CVE-2024-22358?

Yes, authenticated users can exploit CVE-2024-22358 to impersonate other users since sessions are not invalidated after logout.

Is CVE-2024-22358 applicable to IBM DevOps Deploy?

Yes, CVE-2024-22358 affects IBM DevOps Deploy versions up to 8.0.0.1.

Vulnerability/
CVE-2024-22358

high

8.8

CWE

613

11/4/2024

12/4/2024

29/1/2025

CVE-2024-22358: IBM UrbanCode Deploy session fixation

First published: Thu Apr 11 2024(Updated: )

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 280896.

Credit: psirt@us.ibm.com

Affected Software	Affected Version	How to fix
IBM UCD - IBM UrbanCode Deploy	<=7.0 - 7.0.5.20
IBM UCD - IBM UrbanCode Deploy	<=7.1 - 7.1.2.16
IBM UCD - IBM UrbanCode Deploy	<=7.2 - 7.2.3.9
IBM UCD - IBM UrbanCode Deploy	<=7.3 - 7.3.2.4
IBM UCD - IBM DevOps Deploy	<=8.0 - 8.0.0.1
IBM DevOps Deploy	>=8.0.0.0<8.0.1.0
IBM UrbanCode Deploy	>=7.0.0.0<7.0.5.21
IBM UrbanCode Deploy	>=7.1.0.0<7.1.2.17
IBM UrbanCode Deploy	>=7.2.0.0<7.2.3.10
IBM UrbanCode Deploy	>=7.3.0.0<7.3.2.5

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7148109

Frequently Asked Questions

What is the severity of CVE-2024-22358?
CVE-2024-22358 has a medium severity rating due to its potential to allow unauthorized session access.
How do I fix CVE-2024-22358?
To fix CVE-2024-22358, upgrade the affected IBM UrbanCode Deploy or IBM DevOps Deploy products to a version that includes the necessary security patches.
What versions of IBM UrbanCode Deploy are affected by CVE-2024-22358?
CVE-2024-22358 affects IBM UrbanCode Deploy versions 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, and 7.3 through 7.3.2.4.
Can authenticated users exploit CVE-2024-22358?
Yes, authenticated users can exploit CVE-2024-22358 to impersonate other users since sessions are not invalidated after logout.
Is CVE-2024-22358 applicable to IBM DevOps Deploy?
Yes, CVE-2024-22358 affects IBM DevOps Deploy versions up to 8.0.0.1.

agent/weakness
agent/title
agent/references
agent/first-publish-date
agent/type
agent/description
collector/ibm-support
source/IBM
agent/software-canonical-lookup
agent/author
collector/mitre-cve
source/MITRE
agent/trending
agent/source
agent/tags
agent/last-modified-date
agent/severity
agent/softwarecombine
agent/event
collector/nvd-api
source/NVD
vendor/ibm
canonical/ibm ucd - ibm urbancode deploy
version/ibm ucd - ibm urbancode deploy/7.0 - 7.0.5.20
version/ibm ucd - ibm urbancode deploy/7.1 - 7.1.2.16
version/ibm ucd - ibm urbancode deploy/7.2 - 7.2.3.9
version/ibm ucd - ibm urbancode deploy/7.3 - 7.3.2.4
canonical/ibm ucd - ibm devops deploy
version/ibm ucd - ibm devops deploy/8.0 - 8.0.0.1
canonical/ibm devops deploy
version/ibm devops deploy/8.0.0.0
canonical/ibm urbancode deploy
version/ibm urbancode deploy/7.0.0.0
version/ibm urbancode deploy/7.1.0.0
version/ibm urbancode deploy/7.2.0.0
version/ibm urbancode deploy/7.3.0.0