Lucene search

IBMB62EB8C30312689F6C51A22B0FDD0EFCE1CB892C5EB4EFBD536F0037B8B6A47E

HistoryMar 21, 2023 - 7:36 a.m.

Security Bulletin: IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes

2023-03-2107:36:28

www.ibm.com

ibm aspera faspex

unauthorized password change

vulnerability

resolved

container image

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

36.7%

JSON

Summary

IBM Aspera Faspex could allow an unauthenticated user to change another user’s credentials. The unauthenticated user can get a token that then lets them change another user’s password. This issue has been resolved.

Vulnerability Details

CVEID:CVE-2023-27875
**DESCRIPTION:**IBM Aspera Faspex 5.0.4 could allow a user to change other user’s credentials due to improper access controls.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249847 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

The following is impacted by this vulnerability

Product(s)	Version(s)	Component(s)
IBM Aspera Faspex	5.0.4	icr.io/ibmaspera/faspx_core

Remediation/Fixes

Upgrade to the latest container image. Instructions are available at: <https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=upgrades-refreshing-container-images>

Container Image	New Image ID	Tag
icr.io/ibmaspera/faspex_core	0eb99934c3c2	5.0.4

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmaspera_faspexMatch5.0.4

ibmaspera_faspexMatch1.0

ibmaspera_faspexMatch1.1

ibmaspera_server_on_demandMatch1.1

ibmaspera_faspex_on_demandMatch5.0.4

ibmaspera_faspexMatch1.0

ibmaspera_server_on_demandMatch1.0

VendorProductVersionCPE
ibmaspera_faspex5.0.4cpe:2.3:a:ibm:aspera_faspex:5.0.4:*:*:*:*:*:*:*
ibmaspera_faspex1.0cpe:2.3:a:ibm:aspera_faspex:1.0:*:*:*:*:*:*:*
ibmaspera_faspex1.1cpe:2.3:a:ibm:aspera_faspex:1.1:*:*:*:*:*:*:*
ibmaspera_server_on_demand1.1cpe:2.3:a:ibm:aspera_server_on_demand:1.1:*:*:*:*:*:*:*
ibmaspera_faspex_on_demand5.0.4cpe:2.3:a:ibm:aspera_faspex_on_demand:5.0.4:*:*:*:*:*:*:*
ibmaspera_server_on_demand1.0cpe:2.3:a:ibm:aspera_server_on_demand:1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	aspera_faspex	5.0.4	cpe:2.3:a:ibm:aspera_faspex:5.0.4:::::::*
ibm	aspera_faspex	1.0	cpe:2.3:a:ibm:aspera_faspex:1.0:::::::*
ibm	aspera_faspex	1.1	cpe:2.3:a:ibm:aspera_faspex:1.1:::::::*
ibm	aspera_server_on_demand	1.1	cpe:2.3:a:ibm:aspera_server_on_demand:1.1:::::::*
ibm	aspera_faspex_on_demand	5.0.4	cpe:2.3:a:ibm:aspera_faspex_on_demand:5.0.4:::::::*
ibm	aspera_server_on_demand	1.0	cpe:2.3:a:ibm:aspera_server_on_demand:1.0:::::::*