Lucene search

IBM9C9061F3E3844065E41E0DB210EF0BBC1B9C0A07198279F6C597670999207CA8

HistoryMay 29, 2024 - 8:37 p.m.

Security Bulletin: IBM Aspera Console has addressed multiple HTTP vulnerabilities (CVE-2022-43841, CVE-2024-24795, CVE-2023-38709)

2024-05-2920:37:46

www.ibm.com

ibm aspera console

http vulnerabilities

cve-2022-43841

cve-2024-24795

cve-2023-38709

security bulletin

http response splitting

web cache poisoning

cross-site scripting

sensitive information

apache http server

cvss score

upgrade

fix

windows

linux

4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.5%

JSON

Summary

This Security Bulletin addresses security vulnerabilities related to HTTP responses that would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information (CVE-2022-43841, CVE-2024-24795, CVE-2023-38709).

Vulnerability Details

CVEID:CVE-2022-43841
**DESCRIPTION:**IBM Aspera Console allows web pages to be stored locally which can be read by another user on the system.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239078 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2024-24795
**DESCRIPTION:**Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by a flaw in multiple modules. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286940 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-38709
**DESCRIPTION:**Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by improper input validation in the core. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286938 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Aspera Console	3.4.0 - 3.4.2 PL9

Remediation/Fixes

It is recommended that customers upgrade to the latest version of IBM Aspera Console:

Product(s)	Fixing VRM	Platform	Link to Fix
IBM Aspera Console

3.4.2 PL 10

| Windows| click here
IBM Aspera Console|

3.4.2 PL 10

| Linux| click here

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmaspera_streamingMatch1.0

ibmaspera_server_on_demandMatch1.1

ibmaspera_consoleMatch3.4.2

ibmaspera_consoleMatch7

ibmaspera_streamingMatch1.0

CPENameOperatorVersion
ibm aspera enterpriseeq1.0
ibm aspera enterprise on demandeq1.1
ibm aspera consoleeq3.4.2
ibm aspera consoleeq7
ibm asperaeq1.0