SB2024053019 - Multiple vulnerabilities in IBM Aspera Console

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024053019

SB2024053019 - Multiple vulnerabilities in IBM Aspera Console

Published: May 30, 2024

Security Bulletin ID SB2024053019
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) HTTP response splitting (CVE-ID: CVE-2024-24795)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correctly process CRLF character sequences in multiple modules. A remote attacker can inject malicious response headers into backend applications and perform an HTTP desynchronization attack.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


2) HTTP response splitting (CVE-ID: CVE-2023-38709)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correctly process CRLF character sequences. A malicious or exploitable backend/content generators can send specially crafted response containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


3) Unprotected storage of credentials (CVE-ID: CVE-2022-43841)

The vulnerability allows a local user to gain access to other users' credentials.

The vulnerability exists due to IBM Aspera Console allows web pages to be stored locally. A local user can view contents of the configuration file and gain access to passwords for 3rd party integration.


Remediation

Install update from vendor's website.

References