CVE-2024-22334 - Vulnerability Details - OpenCVE

ReportizFlow

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/279974
https://www.ibm.com/support/pages/node/7148112

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2024-04-12T16:41:15.797Z

Updated: 2024-08-01T22:43:34.546Z

Reserved: 2024-01-08T23:42:17.266Z

Link: CVE-2024-22334

Vulnrichment

Updated: 2024-08-01T22:43:34.546Z

NVD

Status : Awaiting Analysis

Published: 2024-04-12T17:17:21.300

Modified: 2024-11-21T08:56:04.560

Link: CVE-2024-22334

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22334", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2024-01-08T23:42:17.266Z", "datePublished": "2024-04-12T16:41:15.797Z", "dateUpdated": "2024-08-01T22:43:34.546Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "UrbanCode Deploy", "vendor": "IBM", "versions": [{"lessThanOrEqual": "7.0.5.20", "status": "affected", "version": "7.0", "versionType": "semver"}, {"lessThanOrEqual": "7.1.2.16", "status": "affected", "version": "7.1", "versionType": "semver"}, {"lessThanOrEqual": "7.2.3.9", "status": "affected", "version": "7.2", "versionType": "semver"}, {"lessThanOrEqual": "7.3.2.4", "status": "affected", "version": "7.3", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "DevOps Deploy", "vendor": "IBM", "versions": [{"lessThanOrEqual": "8.0.0.1", "status": "affected", "version": "8.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974."}], "value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-04-12T16:41:15.797Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7148112"}, {"tags": ["vdb-entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM UrbanCode Deploy improper privilege control", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22334", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-12T19:03:41.539321Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:52:36.794Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.546Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/7148112"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.ibm.com/support/pages/node/7148112", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974", "tags": ["vdb-entry", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.546Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22334", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-12T19:03:41.539321Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:23.581Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "IBM UrbanCode Deploy improper privilege control", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "IBM", "product": "UrbanCode Deploy", "versions": [{"status": "affected", "version": "7.0", "versionType": "semver", "lessThanOrEqual": "7.0.5.20"}, {"status": "affected", "version": "7.1", "versionType": "semver", "lessThanOrEqual": "7.1.2.16"}, {"status": "affected", "version": "7.2", "versionType": "semver", "lessThanOrEqual": "7.2.3.9"}, {"status": "affected", "version": "7.3", "versionType": "semver", "lessThanOrEqual": "7.3.2.4"}], "defaultStatus": "unaffected"}, {"vendor": "IBM", "product": "DevOps Deploy", "versions": [{"status": "affected", "version": "8.0", "versionType": "semver", "lessThanOrEqual": "8.0.0.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ibm.com/support/pages/node/7148112", "tags": ["vendor-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974.", "supportingMedia": [{"type": "text/html", "value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-04-12T16:41:15.797Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22334", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:43:34.546Z", "dateReserved": "2024-01-08T23:42:17.266Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2024-04-12T16:41:15.797Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974."}, {"lang": "es", "value": "IBM UrbanCode Deploy (UCD) 7.0 a 7.0.5.20, 7.1 a 7.1.2.16, 7.2 a 7.2.3.9, 7.3 a 7.3.2.4 e IBM DevOps Deploy 8.0 a 8.0.0.1 podr\u00edan ser vulnerables a una revocaci\u00f3n incompleta de permisos al eliminar un tipo de recurso de seguridad. Al eliminar un tipo de seguridad personalizado, es posible que los permisos asociados de los objetos que usan ese tipo no se revoquen por completo. Esto podr\u00eda dar lugar a informes incorrectos de la configuraci\u00f3n de permisos y a la retenci\u00f3n de privilegios inesperados. ID de IBM X-Force: 279974."}], "id": "CVE-2024-22334", "lastModified": "2024-11-21T08:56:04.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-04-12T17:17:21.300", "references": [{"source": "[email protected]", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974"}, {"source": "[email protected]", "url": "https://www.ibm.com/support/pages/node/7148112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279974"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.ibm.com/support/pages/node/7148112"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "[email protected]", "type": "Secondary"}]}