Skip to main content

IBM DevOps Automation EUVDEUVD-2025-210374

| CVE-2025-36359 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-06-30 ibm GHSA-85r2-j732-h557
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
8.1 HIGH

Network-facing app exploited by an already-authenticated user (PR:L); reuse of a non-invalidated session yields full impersonation (C:H/I:H) with no availability impact (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Severity Changed
Jul 06, 2026 - 16:37 NVD
HIGH MEDIUM
CVSS changed
Jul 06, 2026 - 16:37 NVD
8.1 (HIGH) 6.5 (MEDIUM)
Analysis Generated
Jun 30, 2026 - 21:15 vuln.today

DescriptionNVD

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.

AnalysisAI

Session hijacking in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 allows an authenticated user to impersonate another user because session IDs are not invalidated after they expire (CWE-613). An attacker who obtains or reuses a stale session identifier can act with the victim's identity, producing high confidentiality and integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

IBM DevOps Automation and IBM DevOps Loop are enterprise CI/CD and release-orchestration platforms (CPEs cpe:2.3:a:ibm:devops_automation and cpe:2.3:a:ibm:devops_loop). The root cause is CWE-613 (Insufficient Session Expiration): the application continues to honor session identifiers after their intended expiration window rather than invalidating them server-side. Because the session token is the authentication anchor for web requests, a session ID that stays valid past expiration becomes a reusable credential, decoupling authentication from any time limit and enabling impersonation if the token is captured, replayed, or otherwise reused.

RemediationAI

Apply the vendor patch referenced in IBM's advisory at https://www.ibm.com/support/pages/node/7277970 (Patch available per vendor advisory; an exact fixed version is not stated in the provided data, so confirm the target release on that page before deploying). Until patched, reduce exposure by shortening server-side session lifetimes and forcing re-authentication, ensuring sessions are destroyed server-side (not merely expired client-side) on logout and timeout, and where supported rotating or invalidating session IDs on context or privilege change; the trade-off is more frequent logins for users and possible disruption to long-running automation sessions. Restricting network access to the management interfaces to trusted users and networks further limits who can attempt to replay stale tokens.

Share

EUVD-2025-210374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy