CVE-2023-38018

Published: Aug 12, 2024Modified: Aug 29, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

IBM Aspera Shares 1.10.0 PL2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 260574.

Affected (1)

Products: Ibm: Aspera Shares

Ibm

1 product

Aspera Shares

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ibm Aspera Shares	Version 1.10.0 patch_level2

Related CWEs

CWE-384

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (1)

https://www.ibm.com/support/pages/node/7164325

Source: psirt@us.ibm.com

Vendor Advisory

Timeline

No history available yet.