Aspera Console
Monthly
IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can abuse the email functionality by sending requests at excessive frequencies, exhausting service resources and rendering the email feature unavailable to legitimate users. This vulnerability requires authentication and does not provide confidentiality or integrity impact, resulting in a moderate CVSS score of 5.3.
IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable response discrepancies in authentication mechanisms. An unauthenticated remote attacker can exploit this to enumerate valid usernames through response analysis, enabling reconnaissance for subsequent targeted attacks. With a CVSS score of 5.3 and low attack complexity, this is a low-to-moderate severity information disclosure issue suitable for standard patch management cycles rather than emergency response.
IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. [CVSS 8.6 HIGH]
Aspera Console versions up to 3.4.7 is affected by insertion of sensitive information into log file (CVSS 4.9).
IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can abuse the email functionality by sending requests at excessive frequencies, exhausting service resources and rendering the email feature unavailable to legitimate users. This vulnerability requires authentication and does not provide confidentiality or integrity impact, resulting in a moderate CVSS score of 5.3.
IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable response discrepancies in authentication mechanisms. An unauthenticated remote attacker can exploit this to enumerate valid usernames through response analysis, enabling reconnaissance for subsequent targeted attacks. With a CVSS score of 5.3 and low attack complexity, this is a low-to-moderate severity information disclosure issue suitable for standard patch management cycles rather than emergency response.
IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. [CVSS 8.6 HIGH]
Aspera Console versions up to 3.4.7 is affected by insertion of sensitive information into log file (CVSS 4.9).