Multiple vulnerabilities in IBM Aspera Connect and IBM Aspera Cargo



Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-22862
CVE-2023-27285
CWE-ID CWE-523
CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
Aspera Connect
Other software / Other software solutions

Aspera Cargo
Other software / Other software solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Unprotected Transport of Credentials

EUVDB-ID: #VU77070

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-22862

CWE-ID: CWE-523 - Unprotected Transport of Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to IBM Aspera Connect and IBM Aspera Cargo transmits authentication credentials. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Aspera Connect: 4.2.5

Aspera Cargo: 4.2.5

CPE2.3 External links

http://www.ibm.com/support/pages/node/7001053


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU77072

Risk: High

CVSSv3.1: 7.3 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-27285

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper bounds checking. A local attacker can trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Aspera Connect: 4.2.5

Aspera Cargo: 4.2.5

CPE2.3 External links

http://www.ibm.com/support/pages/node/7001053


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###