Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
AnalysisAI
IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can abuse the email functionality by sending requests at excessive frequencies, exhausting service resources and rendering the email feature unavailable to legitimate users. This vulnerability requires authentication and does not provide confidentiality or integrity impact, resulting in a moderate CVSS score of 5.3.
Technical ContextAI
The vulnerability exists in IBM Aspera Console's email service component, which fails to implement adequate rate-limiting or request throttling mechanisms. This falls under CWE-799 (Improper Control of Interaction Frequency), a weakness category that encompasses scenarios where applications do not properly restrict the frequency or volume of interactions from users. The affected software is identified via CPE string cpe:2.3:a:ibm:aspera_console, spanning versions 3.3.0 through 3.4.8. The email service likely uses standard SMTP or internal mail relay mechanisms, but lacks authentication-based quotas or per-user request frequency controls that would prevent abuse by authenticated actors.
RemediationAI
Upgrade IBM Aspera Console to version 3.4.9 or later (specific version availability should be confirmed via IBM's security advisory). Organizations unable to patch immediately should implement compensating controls by restricting network access to the Aspera Console email service to trusted internal networks only, implementing authentication-based rate-limiting at a reverse proxy or WAF level to cap email service requests per authenticated user, and monitoring email service logs for unusual request frequency patterns. Enable multi-factor authentication on all Aspera Console administrative accounts to reduce the risk of compromised credentials being used for abuse.
More in Aspera Console
View allIBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQ
IBM Aspera Console 3.4.0 through 3.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker t
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vul
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to HTTP header injection, caused by improper validation of input by
IBM Aspera Console 3.4.0 through 3.4.4 could disclose sensitive information in HTTP headers that could be used in furthe
IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable respon
Aspera Console versions up to 3.4.7 is affected by insertion of sensitive information into log file (CVSS 4.9).
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authentic
IBM Aspera Console 3.4.0 through 3.4.4 allows passwords to be reused when a new user logs into the system. Rated low sev
Same weakness CWE-799 – Improper Control of Interaction Frequency
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208657