Vulnerability Details CVE-2022-47986
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.943
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 9.8
Proposed Action
IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw.
Ransomware Campaign
Known
References
- http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/243512
- https://www.ibm.com/support/pages/node/6952319
- http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/243512
- https://www.ibm.com/support/pages/node/6952319
Products affected by CVE-2022-47986
-
cpe:2.3:a:ibm:aspera_faspex:-
-
cpe:2.3:a:ibm:aspera_faspex:4.4.1
-
cpe:2.3:a:ibm:aspera_faspex:4.4.2
-
cpe:2.3:o:linux:linux_kernel:-
-
cpe:2.3:o:microsoft:windows:-