CVE-2023-27874

Published: Mar 21, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845.

Affected (3)

Products: Ibm: Aspera Faspex

Ibm

1 product

Aspera Faspex

Configuration A

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ibm Aspera Faspex	Up to 4.4.2
Ibm Aspera Faspex	Version 4.4.2 patch_level_1
Ibm Aspera Faspex	Version 4.4.2 patch_level_2

Running on/with	Platform Versions
Linux Linux Kernel	All versions

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

https://exchange.xforce.ibmcloud.com/vulnerabilities/249845

Source: psirt@us.ibm.com

VDB EntryVendor Advisory

https://www.ibm.com/support/pages/node/6964694

Source: psirt@us.ibm.com

PatchVendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/249845

Source: af854a3a-2127-422b-91ae-364da2661108

VDB EntryVendor Advisory

https://www.ibm.com/support/pages/node/6964694

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.