Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
AnalysisAI
IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable response discrepancies in authentication mechanisms. An unauthenticated remote attacker can exploit this to enumerate valid usernames through response analysis, enabling reconnaissance for subsequent targeted attacks. With a CVSS score of 5.3 and low attack complexity, this is a low-to-moderate severity information disclosure issue suitable for standard patch management cycles rather than emergency response.
Technical ContextAI
The vulnerability exists in IBM Aspera Console (cpe:2.3:a:ibm:aspera_console) and falls under CWE-204 (Observable Response Discrepancy), a timing or behavioral analysis class where the system leaks information through differences in error messages, response times, or HTTP status codes during authentication attempts. In this case, the Aspera Console authentication handler likely returns distinguishable responses when presented with valid versus invalid usernames—for example, different HTTP status codes (401 vs 404), varying response lengths, or distinct error message strings. This allows attackers to systematically probe the application to determine which usernames exist in the system without needing valid credentials. The vulnerability is specific to the Aspera Console product line, a commercial file transfer and workflow acceleration platform commonly deployed in enterprise environments for high-performance data distribution.
RemediationAI
Immediately upgrade IBM Aspera Console to version 3.4.9 or later, or to the latest 3.5.x release if available, following IBM's official patch guidance and pre-upgrade compatibility checks for your deployment. If immediate patching is not feasible, implement network-level access controls to restrict Aspera Console authentication endpoints to trusted IP ranges, disable or firewall any public-facing authentication interfaces, and deploy HTTP request logging to detect enumeration attempts (e.g., high volumes of failed login requests to the same endpoint with varying usernames). Enable multi-factor authentication where supported to reduce the impact of compromised credentials obtained through enumeration. Monitor Aspera console logs for suspicious authentication patterns and coordinate with identity and access management teams to enforce strong password policies that reduce the value of enumerated usernames to attackers.
More in Aspera Console
View allIBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQ
IBM Aspera Console 3.4.0 through 3.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker t
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vul
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to HTTP header injection, caused by improper validation of input by
IBM Aspera Console 3.4.0 through 3.4.4 could disclose sensitive information in HTTP headers that could be used in furthe
IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service tha
Aspera Console versions up to 3.4.7 is affected by insertion of sensitive information into log file (CVSS 4.9).
IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authentic
IBM Aspera Console 3.4.0 through 3.4.4 allows passwords to be reused when a new user logs into the system. Rated low sev
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208660