Aspera Orchestrator Vulnerable to HTTP Header Injection
CVE-2023-26289

5.4MEDIUM

Key Information:

Vendor: IBM
Status: Aspera Orchestrator
Vendor: CVE Published:; 30 July 2024

Summary

IBM Aspera Orchestrator 4.0.1 contains a vulnerability due to insufficient validation of input in HOST headers, which may allow an attacker to exploit this weakness through various attacks. Potential threats include cross-site scripting, cache poisoning, and session hijacking, which could compromise the integrity and confidentiality of user data within the affected systems. Organizations utilizing this product should assess their exposure and implement necessary mitigations promptly to protect against these threats.

Affected Version(s)

Aspera Orchestrator 4.0.1

References

https://www.ibm.com/support/pages/node/7161537

vendor-advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/248478

vdb-entry

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 30, 2024
Vulnerability Reserved
Feb 21, 2023

Collectors

NVD DatabaseMitre Database