Lucene search

IBMB148F696ADB8D95DEF02B51F3E86F3BB4B1F11DEEEF4CC0135B6CC59C48D9927

HistoryAug 08, 2024 - 9:45 p.m.

Security Bulletin: IBM Aspera Shares improved security for user session handling (CVE-2023-38018)

2024-08-0821:45:15

www.ibm.com

security bulletin

ibm aspera shares

user session handling

cve-2023-38018

vulnerability

affected products

remediation

linux

windows

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.9

Confidence

High

EPSS

Percentile

14.7%

JSON

Summary

IBM Aspera Shares has addressed a vulnerability related to user session handling.

Vulnerability Details

CVEID:CVE-2023-38018
**DESCRIPTION:**IBM Aspera Shares does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Aspera Shares	0.0.0 - 1.10.0 PL2

Remediation/Fixes

It is recommended to apply the fix as soon as possible, see links in the table below.

Product	Fixing VRM	Platform	Link to Fix
IBM Aspera Shares	1.10.0 PL3	Linux	click here
IBM Aspera Shares

1.10.0 PL3

| Windows| click here

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmaspera_sharesMatch1.10.0

ibmaspera_sharesMatch3

ibmaspera_server_on_demandMatch1.1

ibmaspera_server_on_demandMatch1.0

ibmaspera_faspexMatch1.0.2

ibmaspera_faspexMatch1.0

VendorProductVersionCPE
ibmaspera_shares1.10.0cpe:2.3:a:ibm:aspera_shares:1.10.0:*:*:*:*:*:*:*
ibmaspera_shares3cpe:2.3:a:ibm:aspera_shares:3:*:*:*:*:*:*:*
ibmaspera_server_on_demand1.1cpe:2.3:a:ibm:aspera_server_on_demand:1.1:*:*:*:*:*:*:*
ibmaspera_server_on_demand1.0cpe:2.3:a:ibm:aspera_server_on_demand:1.0:*:*:*:*:*:*:*
ibmaspera_faspex1.0.2cpe:2.3:a:ibm:aspera_faspex:1.0.2:*:*:*:*:*:*:*
ibmaspera_faspex1.0cpe:2.3:a:ibm:aspera_faspex:1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	aspera_shares	1.10.0	cpe:2.3:a:ibm:aspera_shares:1.10.0:::::::*
ibm	aspera_shares	3	cpe:2.3:a:ibm:aspera_shares:3:::::::*
ibm	aspera_server_on_demand	1.1	cpe:2.3:a:ibm:aspera_server_on_demand:1.1:::::::*
ibm	aspera_server_on_demand	1.0	cpe:2.3:a:ibm:aspera_server_on_demand:1.0:::::::*
ibm	aspera_faspex	1.0.2	cpe:2.3:a:ibm:aspera_faspex:1.0.2:::::::*
ibm	aspera_faspex	1.0	cpe:2.3:a:ibm:aspera_faspex:1.0:::::::*