IBM Aspera Shares Vulnerability Let Attackers Login as Any User
IBM has disclosed a vulnerability in its Aspera Shares software, CVE-2023-38018. This flaw in user session handling could potentially allow attackers to impersonate any user within the system, posing a substantial security risk for organizations relying on this software for data transfer.
The vulnerability arises from IBM Aspera Shares’ failure to invalidate user sessions following a password change. This oversight potentially enables an authenticated user to log in like any other user on the system.
The vulnerability has a CVSS Base Score of 6.3, indicating a moderate severity. The detailed CVSS vector is (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), highlighting the ease with which this vulnerability can be exploited in network environments with low attack complexity.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide
Affected Products and Versions
Affected Product(s)Version(s)IBM Aspera Shares0.0.0 – 1.10.0 PL2
The vulnerability affects IBM Aspera Shares versions from 0.0.0 to 1.10.0 PL2. This issue underscores the critical importance of robust session management protocols in software applications, especially those handling sensitive data transfers.
Remediation and Fixes
IBM has promptly addressed this vulnerability by releasing a patch. Users of IBM Aspera Shares are strongly advised to update to version 1.10.0 PL3 to mitigate the risk. The patch is available for both Linux and Windows platforms.
There are no alternative workarounds or mitigations available at this time. Therefore, applying the provided fix is crucial to ensure the security of the affected systems.
IBM encourages users to subscribe to “My Notifications” for timely updates on security bulletins and product support alerts. This proactive approach can help organizations avoid potential vulnerabilities and secure their systems.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
The post IBM Aspera Shares Vulnerability Let Attackers Login as Any User appeared first on Cyber Security News.