CVE-2024-38315

Published: Sep 16, 2024Modified: Sep 20, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.

Affected (5)

Products: Ibm: Aspera Shares

Ibm

1 product

Aspera Shares

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Ibm Aspera Shares	From 1.0.0 to 1.10.0
Ibm Aspera Shares	Version 1.10.0
Ibm Aspera Shares	Version 1.10.0 patch_level1
Ibm Aspera Shares	Version 1.10.0 patch_level2
Ibm Aspera Shares	Version 1.10.0 patch_level3

Related CWEs

CWE-613

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

https://exchange.xforce.ibmcloud.com/vulnerabilities/294742

Source: psirt@us.ibm.com

VDB EntryVendor Advisory

https://www.ibm.com/support/pages/node/7168379

Source: psirt@us.ibm.com

Vendor Advisory

Timeline

No history available yet.