Hcl Devops Deploy Hcl Launch
Monthly
Sensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecting all maintained version branches from 7.3 through 8.2.1.0. Any authenticated user with low-privilege access can retrieve secrets through standard API interactions, creating a stepping-stone for lateral movement or privilege escalation across connected deployment targets. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but real-world risk is elevated because CI/CD platforms routinely store high-value credentials for downstream infrastructure.
Sensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in application log files to any local user who can read those files. Affected across four major release branches (7.3, 8.0, 8.1, and 8.2), the vulnerability stems from CWE-532, where the application writes sensitive material into logs without adequate sanitization or access restriction. No public exploit code has been identified at time of analysis, and the flaw is not listed in the CISA KEV catalog, but the high confidentiality impact (C:H) and zero-privilege local access condition elevate real-world concern in multi-tenant or shared-host deployments.
HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged authenticated user with log access to read plaintext sensitive values - such as credentials, API tokens, or configuration secrets - that should be masked or redacted. All versions are potentially affected per the CPE wildcard, and the network-accessible nature (AV:N/PR:L) makes this a meaningful insider threat and lateral movement risk in enterprise CI/CD environments. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Sensitive configuration data and credentials are exposed in API responses within HCL DevOps Deploy / HCL Launch, affecting all maintained version branches from 7.3 through 8.2.1.0. Any authenticated user with low-privilege access can retrieve secrets through standard API interactions, creating a stepping-stone for lateral movement or privilege escalation across connected deployment targets. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but real-world risk is elevated because CI/CD platforms routinely store high-value credentials for downstream infrastructure.
Sensitive information disclosure in HCL DevOps Deploy / HCL Launch exposes credentials or operational data stored in application log files to any local user who can read those files. Affected across four major release branches (7.3, 8.0, 8.1, and 8.2), the vulnerability stems from CWE-532, where the application writes sensitive material into logs without adequate sanitization or access restriction. No public exploit code has been identified at time of analysis, and the flaw is not listed in the CISA KEV catalog, but the high confidentiality impact (C:H) and zero-privilege local access condition elevate real-world concern in multi-tenant or shared-host deployments.
HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged authenticated user with log access to read plaintext sensitive values - such as credentials, API tokens, or configuration secrets - that should be masked or redacted. All versions are potentially affected per the CPE wildcard, and the network-accessible nature (AV:N/PR:L) makes this a meaningful insider threat and lateral movement risk in enterprise CI/CD environments. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.