Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM899A0A3206EF524A1D4AEDCFA7E142C82B8FB487E335F61ED3FDF9C64E0C0795
HistoryJun 20, 2023 - 10:11 p.m.

Security Bulletin: IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874)

2023-06-2022:11:22
www.ibm.com
24
ibm aspera
faspex 4.4.2 pl3
xml external entity injection
sensitive credential information
upgrade
faspex v5
patch
security vulnerabilities

0.001 Low

EPSS

Percentile

46.9%

JSON

Summary

This Security Bulletin addresses security vulnerabilities that have been remediated (CVE-2023-27871, CVE-2023-27873) and mitigated (CVE-2023-27874) in IBM Aspera Faspex 4.4.2 PL3.

Vulnerability Details

CVEID:CVE-2023-27874
**DESCRIPTION:**IBM Aspera is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
CVSS Base score: 9.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249845 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-27871
**DESCRIPTION:**IBM Aspera Faspex could allow a remote attacker to obtain sensitive credential information for an external user, using a specially crafted SQL query.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-27873
**DESCRIPTION:**IBM Aspera Faspex could allow a remote authenticated attacker to obtain sensitive credential information using specially crafted XML input.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249654 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Aspera Faspex 4.4.2 PL2 and earlier versions.

Remediation/Fixes

It is recommended that customers take one of the following actions as soon as possible:

1. Upgrade to Faspex v5. Given the impending end of service of Version 4 later this year, this is an important action all customers should take.

Faspex 5.0.4 can be downloaded from here. Installation instructions can be found here.

2. Apply the latest version 4 patch - 4.4.2 PL3, see links below.

Product(s) Fixing VRM Platform Link to Fix
IBM Aspera Faspex

4.4.2 PL3

| Windows| click here
IBM Aspera Faspex|

4.4.2 PL3

| Linux| click here

Workarounds and Mitigations

This fix mitigates CVE-2023-27874.

Related

cnvd 3
prion 3
cvelist 3
cve 3
cnvd
cnvd
IBM Aspera Faspex Information Disclosure Vulnerability
2023-03-23 00:00:00
IBM Aspera Faspex SQL Injection Vulnerability
2023-03-23 00:00:00
IBM Aspera XML External Entity Injection Vulnerability
2023-03-23 00:00:00
prion
prion
Input validation
2023-03-21 15:15:00
Xxe
2023-03-21 15:15:00
Code injection
2023-03-21 15:15:00
cvelist
cvelist
CVE-2023-27873 IBM Aspera Faspex information disclosure
2023-03-21 14:37:03
CVE-2023-27871 IBM Aspera Faspex information disclosure
2023-03-21 14:29:53
CVE-2023-27874 IBM Aspera Faspex XML external entity injection
2023-03-21 14:33:20
cve
cve
CVE-2023-27871
2023-03-21 15:15:12
CVE-2023-27873
2023-03-21 15:15:12
CVE-2023-27874
2023-03-21 15:15:12

0.001 Low

EPSS

Percentile

46.9%

JSON
Related for 899A0A3206EF524A1D4AEDCFA7E142C82B8FB487E335F61ED3FDF9C64E0C0795
cnvd3prion3cvelist3cve3