Lucene search

IBMD3DCED5E5CA9A1CDF87C400460A4A6E770B79155AFFBEA28CE0F0B701CAC9DCE

HistoryJul 24, 2024 - 10:43 p.m.

Security Bulletin: IBM Aspera Orchestrator improved security for its HTTP code base (CVE-2023-26289)

2024-07-2422:43:01

www.ibm.com

ibm aspera orchestrator

vulnerability

http header injection

validation

input

cross-site scripting

cache poisoning

session hijacking

fix

linux

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

13.8%

JSON

Summary

IBM Aspera Orchestrator has addressed a vulnerability related to handling of HTTP headers.

Vulnerability Details

CVEID:CVE-2023-26289
**DESCRIPTION:**IBM Aspera Orchestrator is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248478 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Aspera Orchestrator	4.0.1 and prior versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying the below fix as soon as possible:

Product	Version	Platform	Link to Fix
IBM Aspera Orchestrator	4.0.1 PL3	Linux	click here

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmaspera_server_on_demandMatch1.0

ibmaspera_faspexMatch1.0

ibmaspera_server_on_demandMatch1.0

ibmaspera_faspexMatch1.0

ibmaspera_orchestratorMatch4.0.0

ibmaspera_orchestratorMatch4.0.1

VendorProductVersionCPE
ibmaspera_server_on_demand1.0cpe:2.3:a:ibm:aspera_server_on_demand:1.0:*:*:*:*:*:*:*
ibmaspera_faspex1.0cpe:2.3:a:ibm:aspera_faspex:1.0:*:*:*:*:*:*:*
ibmaspera_orchestrator4.0.0cpe:2.3:a:ibm:aspera_orchestrator:4.0.0:*:*:*:*:*:*:*
ibmaspera_orchestrator4.0.1cpe:2.3:a:ibm:aspera_orchestrator:4.0.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	aspera_server_on_demand	1.0	cpe:2.3:a:ibm:aspera_server_on_demand:1.0:::::::*
ibm	aspera_faspex	1.0	cpe:2.3:a:ibm:aspera_faspex:1.0:::::::*
ibm	aspera_orchestrator	4.0.0	cpe:2.3:a:ibm:aspera_orchestrator:4.0.0:::::::*
ibm	aspera_orchestrator	4.0.1	cpe:2.3:a:ibm:aspera_orchestrator:4.0.1:::::::*

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

13.8%

JSON

Related for D3DCED5E5CA9A1CDF87C400460A4A6E770B79155AFFBEA28CE0F0B701CAC9DCE