Security Bulletin: IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes

2023-03-2107:36:28

www.ibm.com

0.001 Low

EPSS

Percentile

36.3%

JSON

Summary

IBM Aspera Faspex could allow an unauthenticated user to change another user’s credentials. The unauthenticated user can get a token that then lets them change another user’s password. This issue has been resolved.

Vulnerability Details

CVEID:CVE-2023-27875
**DESCRIPTION:**IBM Aspera Faspex 5.0.4 could allow a user to change other user’s credentials due to improper access controls.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249847 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

The following is impacted by this vulnerability

Product(s)	Version(s)	Component(s)
IBM Aspera Faspex	5.0.4	icr.io/ibmaspera/faspx_core

Remediation/Fixes

Upgrade to the latest container image. Instructions are available at: <https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=upgrades-refreshing-container-images>

Container Image	New Image ID	Tag
icr.io/ibmaspera/faspex_core	0eb99934c3c2	5.0.4

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm aspera faspexeq5.0.4
ibm asperaeq1.0
ibm aspera sdkeq1.1
ibm aspera enterprise on demandeq1.1
ibm aspera faspex on demandeq5.0.4
ibm aspera enterpriseeq1.0
ibm aspera on demandeq1.0

Name	Operator	Version
ibm aspera faspex	eq	5.0.4
ibm aspera	eq	1.0
ibm aspera sdk	eq	1.1
ibm aspera enterprise on demand	eq	1.1
ibm aspera faspex on demand	eq	5.0.4
ibm aspera enterprise	eq	1.0
ibm aspera on demand	eq	1.0

0.001 Low

EPSS

Percentile

36.3%

JSON

Related for B62EB8C30312689F6C51A22B0FDD0EFCE1CB892C5EB4EFBD536F0037B8B6A47E