Remote Command Execution in IBM UrbanCode Deploy 7.x-7.3.2.9 & 8.x-8.1.0.0
CVE-2024-55904 Published on February 14, 2025
IBM DevOps Deploy / IBM UrbanCode Deploy command injection
IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 / IBM UrbanCode Deploy 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.9 could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.
Vulnerability Analysis
CVE-2024-55904 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2024-55904 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2024-55904
stack.watch emails you whenever new vulnerabilities are published in IBM Urbancode Deploy or IBM Devops Deploy. Just hit a watch button to start following.
Affected Versions
IBM UrbanCode Deploy:- Version 7.0, <= 7.0.5.25 is affected.
- Version 7.1, <= 7.1.2.21 is affected.
- Version 7.2, <= 7.2.3.14 is affected.
- Version 7.3, <= 7.3.2.9 is affected.
- Version 8.0, <= 8.0.1.4 is affected.
- Version 8.1, <= 8.1.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.