CVE-2025-13148
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-15
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | aspera_orchestrator | From 4.0.0 (inc) to 4.1.1 (exc) |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability in IBM Aspera Orchestrator versions 4.0.0 through 4.1.0 allows an authenticated user to change the password of another user without knowing that user's current password.
How can this vulnerability impact me? :
An attacker who is authenticated could change other users' passwords, potentially leading to unauthorized access to user accounts and compromising the confidentiality and integrity of the system.
What immediate steps should I take to mitigate this vulnerability?
IBM strongly recommends upgrading IBM Aspera Orchestrator to version 4.1.1, which addresses this vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade IBM Aspera Orchestrator to version 4.1.1 or later, as this version addresses the issue. IBM strongly recommends deploying this update to remediate the vulnerability. [1]