CVE-2023-38357: 
RWS WorldServer vulnerability analysis and mitigation

CVE-2023-38357 affects RWS WorldServer versions 11.7.3 and earlier, where session tokens have insufficient entropy and can be enumerated, potentially leading to unauthorized access to user sessions. The vulnerability was discovered in March 2023 and publicly disclosed in July 2023 (RedTeam Advisory).

The vulnerability stems from WorldServer's implementation of session management where user sessions are associated with numerical tokens that are positive values below 2^31. The SOAP action 'loginWithToken' allows for a high number of parallel attempts to validate tokens. During analysis, many assigned tokens were found to be in the 7-digit range of values, making them susceptible to enumeration. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) (NVD).

An attacker can efficiently enumerate session tokens, potentially gaining unauthorized access to multiple user accounts, including administrative accounts. Using an administrative account, it may be possible to execute arbitrary code on the underlying server by customizing the REST API. The security risk is considered high due to the potential for complete system compromise (RedTeam Advisory).

The vulnerability has been fixed in RWS WorldServer version 11.8.0. For systems that cannot be immediately upgraded, a temporary workaround is to lower the rate at which requests can be issued, for example by implementing a frontend proxy (RedTeam Advisory).