CVE-2025-36364 is a vulnerability identified in IBM DevOps Plan versions 3.0.0 through 3.0.5, categorized under CWE-525, which concerns the use of web browser cache containing sensitive information. The issue arises because the application allows sensitive data displayed on web pages to be stored in the local browser cache without adequate protection or cache-control headers. This cached data can be accessed by other users on the same physical or virtual machine, potentially exposing sensitive project or operational information. The vulnerability is exploitable without authentication or user interaction but requires local access to the system, as the attack vector is local (AV:L). The CVSS v3.1 base score is 6.2, reflecting a medium severity level primarily due to the high confidentiality impact and ease of access by local attackers. The vulnerability does not affect data integrity or availability. No patches or exploits are currently reported, but the risk remains for environments where multiple users share access to the same workstation or virtual desktop infrastructure (VDI). This issue highlights a common security oversight where web applications do not properly control caching behavior, leading to sensitive data leakage through browser caches.

The primary impact of CVE-2025-36364 is the potential unauthorized disclosure of sensitive information stored in the IBM DevOps Plan web interface. This can lead to exposure of confidential project details, credentials, or operational data to unauthorized local users sharing the same system. While the vulnerability does not affect data integrity or system availability, the confidentiality breach could facilitate further attacks such as social engineering, insider threats, or lateral movement within an organization. Organizations with shared workstations, remote desktop environments, or multi-user systems are particularly vulnerable. The impact is limited to local attackers, so remote exploitation is not feasible without prior system access. However, in environments with lax physical or logical access controls, this vulnerability could significantly increase the risk of data leakage and compliance violations, especially in regulated industries using IBM DevOps Plan for critical development workflows.

To mitigate CVE-2025-36364, organizations should implement the following specific measures: 1) Upgrade IBM DevOps Plan to a version beyond 3.0.5 once a patch is released by IBM addressing the caching behavior. 2) Until a patch is available, configure browsers used to access IBM DevOps Plan to disable or limit caching, especially for sensitive sites, by enforcing cache-control headers or using private/incognito modes. 3) Enforce strict access controls on shared systems to prevent unauthorized local user access, including user account separation and session locking. 4) Use endpoint security solutions to monitor and restrict access to browser cache directories. 5) Educate users about the risks of shared systems and the importance of logging out and locking sessions. 6) Consider deploying IBM DevOps Plan in isolated environments or virtual machines dedicated per user to reduce shared cache exposure. 7) Regularly audit and monitor local system access logs to detect suspicious activity. These steps go beyond generic advice by focusing on browser cache management and local access controls tailored to this vulnerability's characteristics.