cnvd - cnvd-2024-35113

CNVD-2024-35113

Vulnerability from cnvd - Published: 2024-08-12

Title

IBM Aspera Orchestrator HTTP头注入漏洞

Description

IBM Aspera Orchestrator是美国国际商业机器（IBM）公司的一个基于Web的应用程序。可为数据驱动型企业提供高效的文件处理管道。 IBM Aspera Orchestrator 4.0.1版本存在HTTP头注入漏洞，攻击者可利用该漏洞对易受攻击的系统进行各种攻击，包括跨站点脚本、缓存中毒或会话劫持。

Severity

中

Patch Name

IBM Aspera Orchestrator HTTP头注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/7161537

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-26289

Impacted products

Name
IBM Aspera Orchestrator 4.0.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-26289"
    }
  },
  "description": "IBM Aspera Orchestrator\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u53ef\u4e3a\u6570\u636e\u9a71\u52a8\u578b\u4f01\u4e1a\u63d0\u4f9b\u9ad8\u6548\u7684\u6587\u4ef6\u5904\u7406\u7ba1\u9053\u3002\n\nIBM Aspera Orchestrator 4.0.1\u7248\u672c\u5b58\u5728HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9\u6613\u53d7\u653b\u51fb\u7684\u7cfb\u7edf\u8fdb\u884c\u5404\u79cd\u653b\u51fb\uff0c\u5305\u62ec\u8de8\u7ad9\u70b9\u811a\u672c\u3001\u7f13\u5b58\u4e2d\u6bd2\u6216\u4f1a\u8bdd\u52ab\u6301\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/7161537",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-35113",
  "openTime": "2024-08-12",
  "patchDescription": "IBM Aspera Orchestrator\u662f\u7f8e\u56fd\u56fd\u9645\u5546\u4e1a\u673a\u5668\uff08IBM\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u53ef\u4e3a\u6570\u636e\u9a71\u52a8\u578b\u4f01\u4e1a\u63d0\u4f9b\u9ad8\u6548\u7684\u6587\u4ef6\u5904\u7406\u7ba1\u9053\u3002\r\n\r\nIBM Aspera Orchestrator 4.0.1\u7248\u672c\u5b58\u5728HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9\u6613\u53d7\u653b\u51fb\u7684\u7cfb\u7edf\u8fdb\u884c\u5404\u79cd\u653b\u51fb\uff0c\u5305\u62ec\u8de8\u7ad9\u70b9\u811a\u672c\u3001\u7f13\u5b58\u4e2d\u6bd2\u6216\u4f1a\u8bdd\u52ab\u6301\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Aspera Orchestrator HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "IBM Aspera Orchestrator 4.0.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-26289",
  "serverity": "\u4e2d",
  "submitTime": "2024-08-01",
  "title": "IBM Aspera Orchestrator HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2023-26289 (GCVE-0-2023-26289)

Vulnerability from cvelistv5 – Published: 2024-07-30 16:50 – Updated: 2024-08-02 11:46

Title

IBM Aspera Orchestrator HTTP header injection

Summary

IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 248478.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

Assigner

ibm

References

URL

Tags

	https://www.ibm.com/support/pages/node/7161537	vendor-advisory
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entry

Impacted products

	Vendor	Product	Version
	IBM	Aspera Orchestrator	Affected: 4.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-26289",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-30T17:27:19.730056Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-30T17:27:26.142Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:46:23.507Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/7161537"
          },
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248478"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Aspera Orchestrator",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.  IBM X-Force ID:  248478."
            }
          ],
          "value": "IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.  This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.  IBM X-Force ID:  248478."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-644",
              "description": "CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-30T16:50:29.871Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7161537"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/248478"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Aspera Orchestrator HTTP header injection",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2023-26289",
    "datePublished": "2024-07-30T16:50:29.871Z",
    "dateReserved": "2023-02-21T13:55:50.151Z",
    "dateUpdated": "2024-08-02T11:46:23.507Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-35113

CVE-2023-26289 (GCVE-0-2023-26289)

Tags

Sightings

Nomenclature