CVE-2024-22348

Medium

Published: 20 January 2025

Published

20 January 2025

Modified

14 August 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score 0.0004 13.2th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22348 is a medium-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Ibm Devops Velocity. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-46 Cross Domain Policy Enforcement good match

prevent

Enforces organization-defined cross-domain policies to restrict resource access and privileged actions to trusted domains only, directly addressing the permissive CORS misconfiguration.

AC-4 Information Flow Enforcement good match

prevent

Controls information flows between systems to prevent unauthorized cross-origin access from untrusted domains, mitigating the CWE-942 vulnerability.

CM-6 Configuration Settings good match

prevent

Mandates secure baseline configuration settings for web applications, including restrictive CORS policies limited to trusted domains.

NVD Description

IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 through 4.0. 25 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to…

only trusted domains.

Deeper analysisAI

CVE-2024-22348 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability affecting IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity versions 4.0.0 through 4.0.25. The flaw arises because the software does not limit the domain name to only trusted domains, enabling improper CORS policies. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is associated with CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The vulnerability was published on 2025-01-20.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to carry out privileged actions and retrieve sensitive information by bypassing intended CORS restrictions.

IBM has published a security bulletin at https://www.ibm.com/support/pages/node/7172750 providing details on the vulnerability, affected versions, and recommended mitigation steps, including applying available patches.

Details

CWE(s): CWE-942

Affected Products

ibm

devops velocity

5.0.0

ibm

urbancode velocity

4.0.0 — 4.0.15

CVEs Like This One

CVE-2024-22347Same product: Ibm Devops Velocity

CVE-2024-56340Same vendor: Ibm

CVE-2024-43187Same vendor: Ibm

CVE-2025-0162Same vendor: Ibm

CVE-2024-28766Same vendor: Ibm

CVE-2025-14480Same vendor: Ibm

CVE-2024-25034Same vendor: Ibm

CVE-2024-39750Same vendor: Ibm

CVE-2024-49352Same vendor: Ibm

CVE-2025-3320Same vendor: Ibm

References

https://www.ibm.com/support/pages/node/7172750
Vendor Advisory · psirt@us.ibm.com