Improper access control in IBM Aspera Faspex for Linux

#VU73780 Improper access control in IBM Aspera Faspex for Linux

Published: 2023-03-17

Vulnerability identifier: #VU73780

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-27875

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Aspera Faspex for Linux
Web applications / Other software

Vendor: IBM Corporation

Description

The vulnerability allows a remote user to change credentials of other application users.

The vulnerability exists due to improper access restrictions. A remote authenticated user can change credentials of other application users and gain access to their accounts.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM Aspera Faspex for Linux: 5.0.4

External links
http://exchange.xforce.ibmcloud.com/vulnerabilities/249847
http://www.ibm.com/support/pages/node/6963662

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arbitrary account takeover in IBM Aspera Faspex