Lucene search

IbmVULNRICHMENT:CVE-2023-26288

HistoryJul 30, 2024 - 5:01 p.m.

CVE-2023-26288 IBM Aspera Orchestrator session fixation

2024-07-3017:01:00

CWE-613

ibm

github.com

ibm

aspera orchestrator

session fixation

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

AI Score

6.4

Confidence

Low

EPSS

Percentile

13.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.

CNA Affected

[
  {
    "vendor": "IBM",
    "product": "Aspera Orchestrator",
    "versions": [
      {
        "status": "affected",
        "version": "4.0.1"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

exchange.xforce.ibmcloud.com/vulnerabilities/248477

www.ibm.com/support/pages/node/7161538