Cyber Resilience

CVE-2024-22348

Medium

Published: 20 January 2025

Published
20 January 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0004 13.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22348 is a medium-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Ibm Devops Velocity. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2024-22348 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability affecting IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity versions 4.0.0 through 4.0.25. The flaw arises because the software does not limit the domain name to only trusted domains, enabling improper CORS policies. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is associated with CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The vulnerability was published on 2025-01-20.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to carry out privileged actions and retrieve sensitive information by bypassing intended CORS restrictions.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7172750 providing details on the vulnerability, affected versions, and recommended mitigation steps, including applying available patches.

EU & UK References

Vulnerability details

IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 through 4.0. 25 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to…

more

only trusted domains.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CORS misconfiguration in a public-facing web application directly enables exploitation of the app to bypass access controls and exfiltrate data or perform actions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-22347Same product: Ibm Devops Velocity
CVE-2026-8633Same vendor: Ibm
CVE-2025-0159Same vendor: Ibm
CVE-2023-49886Same vendor: Ibm
CVE-2026-1343Same vendor: Ibm
CVE-2026-8620Same vendor: Ibm
CVE-2024-39750Same vendor: Ibm
CVE-2026-9170Same vendor: Ibm
CVE-2026-3366Same vendor: Ibm
CVE-2026-8175Same vendor: Ibm

Affected Assets

ibm
devops velocity
5.0.0
ibm
urbancode velocity
4.0.0 — 4.0.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces organization-defined cross-domain policies to restrict resource access and privileged actions to trusted domains only, directly addressing the permissive CORS misconfiguration.

prevent

Controls information flows between systems to prevent unauthorized cross-origin access from untrusted domains, mitigating the CWE-942 vulnerability.

prevent

Mandates secure baseline configuration settings for web applications, including restrictive CORS policies limited to trusted domains.

References