CVE-2025-36364 Overview
CVE-2025-36364 is an information disclosure vulnerability in IBM DevOps Plan that allows web page cache to be stored locally, which can subsequently be read by another user on the same system. This cache storage issue enables local users to potentially access sensitive information that should remain confidential to individual sessions.
Critical Impact
Local users with access to the system can read cached web page data from other users, potentially exposing sensitive DevOps planning information, project details, or organizational data stored in browser cache.
Affected Products
- IBM DevOps Plan 3.0.0
- IBM DevOps Plan 3.0.1 through 3.0.4
- IBM DevOps Plan 3.0.5
Discovery Timeline
- 2026-03-03 - CVE-2025-36364 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2025-36364
Vulnerability Analysis
This vulnerability is classified under CWE-525 (Use of Web Browser Cache Containing Sensitive Information). The core issue stems from improper cache control mechanisms within IBM DevOps Plan, where the application fails to properly instruct web browsers to prevent caching of sensitive page content.
When users access IBM DevOps Plan through a web browser, the application does not set appropriate HTTP headers to prevent local caching of sensitive information. As a result, web page content—including potentially sensitive project data, user information, and organizational details—gets stored in the local browser cache directory on the filesystem.
The vulnerability requires local access to the affected system, meaning an attacker would need to have legitimate access to the same machine where another user has accessed IBM DevOps Plan. From there, the attacker could navigate to browser cache directories and extract cached content from other users' sessions.
Root Cause
The root cause of this vulnerability lies in missing or improperly configured HTTP cache-control headers. IBM DevOps Plan versions 3.0.0 through 3.0.5 do not adequately implement cache directives such as Cache-Control: no-store, Cache-Control: no-cache, or Pragma: no-cache for pages containing sensitive information. This oversight allows browsers to store page content locally according to their default caching behavior.
Attack Vector
The attack vector is local, requiring an attacker to have access to the same system where a legitimate user has accessed IBM DevOps Plan. The exploitation scenario involves:
- A legitimate user accesses IBM DevOps Plan through a web browser on a shared workstation or multi-user system
- The browser caches web page content containing sensitive information to the local filesystem
- An attacker with access to the same system locates the browser cache directory
- The attacker extracts and reads cached HTML, JavaScript, or other content files
- Sensitive information from the victim's DevOps Plan sessions is disclosed
The attack requires low privileges and no user interaction beyond the initial caching that occurs during normal application use. This vulnerability is particularly concerning in shared computing environments, kiosks, or systems where multiple users have filesystem access.
Detection Methods for CVE-2025-36364
Indicators of Compromise
- Unusual access patterns to browser cache directories by non-owner users
- File system audit logs showing access to cached content from IBM DevOps Plan sessions
- Evidence of cache directory enumeration or bulk file access operations
- Unauthorized user accounts accessing browser data storage locations
Detection Strategies
- Implement file integrity monitoring on browser cache directories in shared environments
- Enable detailed filesystem auditing to track access to user-specific browser data folders
- Monitor for suspicious process activity accessing other users' application data directories
- Deploy endpoint detection solutions capable of identifying cache scraping behavior
Monitoring Recommendations
- Configure security information and event management (SIEM) to alert on cross-user cache access patterns
- Establish baseline browser cache access behavior and alert on anomalies
- Monitor for tools commonly used to extract browser cache data
- Review access logs for IBM DevOps Plan to correlate with potential cache exploitation attempts
How to Mitigate CVE-2025-36364
Immediate Actions Required
- Upgrade IBM DevOps Plan to the latest patched version as specified in the IBM security advisory
- Clear browser caches on shared systems where IBM DevOps Plan has been accessed
- Restrict local filesystem access on multi-user systems where possible
- Implement browser policies to minimize cache storage for sensitive applications
Patch Information
IBM has released security updates to address this vulnerability. Organizations should review the IBM Support Page for detailed patch information and upgrade instructions. The patch implements proper HTTP cache-control headers to prevent browsers from storing sensitive page content locally.
Workarounds
- Configure browser settings to disable caching or automatically clear cache on session end for users accessing IBM DevOps Plan
- Use private/incognito browsing mode when accessing IBM DevOps Plan on shared systems
- Implement group policies or browser configuration management to enforce no-cache settings for the IBM DevOps Plan domain
- Restrict physical and logical access to shared workstations where IBM DevOps Plan is accessed
# Example: Configure browser cache clearing for shared systems
# For Chrome managed environments, set these policies:
# ClearBrowsingDataOnExitList: ["cached_images_and_files", "browsing_history"]
#
# For Firefox, configure in about:config:
# privacy.sanitize.sanitizeOnShutdown = true
# privacy.clearOnShutdown.cache = true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
