Lucene search

IBM0925564FB4EC20E53F59BADF335CB165D15133B380EEC8E4759FB559271D1942

HistorySep 13, 2024 - 3:19 p.m.

Security Bulletin: IBM Aspera Shares improved security for user session handling (CVE-2024-38315)

2024-09-1315:19:40

www.ibm.com

ibm aspera shares

user session handling

vulnerability

password reset

authenticated user

system

fix

linux

windows

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

14.1%

JSON

Summary

IBM Aspera Shares has addressed a vulnerability related to user session handling.

Vulnerability Details

CVEID:CVE-2024-38315
**DESCRIPTION:**IBM Aspera Shares does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294742 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Aspera Shares	1.0.0 - 1.10.0 PL2

Remediation/Fixes

It is recommended to apply the fix as soon as possible, see links in the table below.

Product	Fixing VRM	Platform	Link to Fix
IBM Aspera Shares	1.10.0 PL3	Linux	click here
IBM Aspera Shares

1.10.0 PL3

| Windows| click here

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmaspera_faspexMatch1.0

ibmaspera_server_on_demandMatch1.0

ibmaspera_server_on_demandMatch1.1

ibmaspera_faspexMatch1.0.2

ibmaspera_sharesMatch1.10.0

ibmaspera_sharesMatch3

VendorProductVersionCPE
ibmaspera_faspex1.0cpe:2.3:a:ibm:aspera_faspex:1.0:*:*:*:*:*:*:*
ibmaspera_server_on_demand1.0cpe:2.3:a:ibm:aspera_server_on_demand:1.0:*:*:*:*:*:*:*
ibmaspera_server_on_demand1.1cpe:2.3:a:ibm:aspera_server_on_demand:1.1:*:*:*:*:*:*:*
ibmaspera_faspex1.0.2cpe:2.3:a:ibm:aspera_faspex:1.0.2:*:*:*:*:*:*:*
ibmaspera_shares1.10.0cpe:2.3:a:ibm:aspera_shares:1.10.0:*:*:*:*:*:*:*
ibmaspera_shares3cpe:2.3:a:ibm:aspera_shares:3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	aspera_faspex	1.0	cpe:2.3:a:ibm:aspera_faspex:1.0:::::::*
ibm	aspera_server_on_demand	1.0	cpe:2.3:a:ibm:aspera_server_on_demand:1.0:::::::*
ibm	aspera_server_on_demand	1.1	cpe:2.3:a:ibm:aspera_server_on_demand:1.1:::::::*
ibm	aspera_faspex	1.0.2	cpe:2.3:a:ibm:aspera_faspex:1.0.2:::::::*
ibm	aspera_shares	1.10.0	cpe:2.3:a:ibm:aspera_shares:1.10.0:::::::*
ibm	aspera_shares	3	cpe:2.3:a:ibm:aspera_shares:3:::::::*

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

14.1%

JSON

Related for 0925564FB4EC20E53F59BADF335CB165D15133B380EEC8E4759FB559271D1942