Urbancode Deploy
Sign in to watchby IBM
CVEs (12)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-8938 | Cri | 0.65 | 10.0 | 0.01 | Feb 1, 2017 | IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host customer's production applications. | |
| CVE-2014-8900 | Hig | 0.57 | 8.8 | 0.00 | Aug 28, 2017 | Cross-site request forgery (CSRF) vulnerability in IBM UrbanCode Release 6.0.1.6 and earlier, 6.1.0.7 and earlier, and 6.1.1.1 and earlier. | |
| CVE-2017-1149 | Hig | 0.53 | 8.1 | 0.00 | Apr 25, 2017 | IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 122202. | |
| CVE-2016-0271 | Hig | 0.53 | 8.2 | 0.00 | Jul 8, 2016 | The agents in IBM UrbanCode Deploy 6.x before 6.0.1.14, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 do not verify a server's identity in a JMS session or an HTTP session, which allows local users to obtain root access to arbitrary agents via unspecified vectors. | |
| CVE-2016-0267 | Hig | 0.50 | 7.7 | 0.00 | Jun 29, 2016 | IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 allows remote authenticated users to obtain sensitive cleartext secure-property information via (1) the server UI or (2) a database request. | |
| CVE-2016-9008 | Hig | 0.49 | 7.5 | 0.00 | Feb 1, 2017 | IBM UrbanCode Deploy could allow a malicious user to access the Agent Relay ActiveMQ Broker JMX interface and run plugins on the agent. | |
| CVE-2016-6068 | Hig | 0.49 | 7.5 | 0.00 | Feb 1, 2017 | IBM UrbanCode Deploy could allow an authenticated user with access to the REST endpoints to access API and CLI getResource secured role properties. | |
| CVE-2016-0365 | Med | 0.38 | 5.9 | 0.00 | Jul 1, 2016 | IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1, when agent-relay Codestation artifact caching is enabled, allows remote attackers to bypass authentication and obtain sensitive artifact information via unspecified vectors. | |
| CVE-2016-2994 | Med | 0.35 | 5.4 | 0.00 | Dec 1, 2016 | Cross-site scripting (XSS) vulnerability in IBM UrbanCode Deploy 6.2.x before 6.2.1.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |
| CVE-2015-7415 | Med | 0.35 | 5.4 | 0.00 | Jan 1, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in IBM UrbanCode Deploy 6.0 before 6.0.1.12, 6.1 before 6.1.3.2, and 6.2 before 6.2.0.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | |
| CVE-2015-4964 | 0.00 | — | 0.02 | Oct 6, 2015 | IBM UrbanCode Deploy 6.0 and 6.0.1.x before 6.0.1.10, 6.1.1.x before 6.1.1.8, and 6.1.2 writes admin AUTH_TOKEN values to execution logs, which allows remote authenticated users to gain privileges by leveraging the ability to create and execute a process. | ||
| CVE-2014-6074 | 0.00 | — | 0.00 | Sep 10, 2014 | IBM UrbanCode Deploy 6.1.0.2 before IF1 allows remote authenticated users to read keystore secret keys via a direct request to a UI page. |