CVE-2022-47986
IBM Aspera Faspex code execution
In short
IBM Aspera Faspex contains a flaw that allows attackers to run malicious code on the server by sending specially crafted requests to an outdated API. This is critical because attackers can take full control of the system without needing any special permissions.
Technical detail
A YAML deserialization vulnerability (CWE-502) in IBM Aspera Faspex 4.4.2 PL1 and earlier enables remote code execution through a deprecated API endpoint. An unauthenticated attacker can craft a malicious YAML payload delivered via an obsolete API call to deserialize and execute arbitrary code with system privileges. The vulnerable endpoint was removed in version 4.4.2 PL2.
Summary generated and translated by AI from the official description.
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
IBM · Aspera Faspexpublic PoCs found — 4
githubgithub.com/ohnonoyesyes/CVE-2022-47986★ 6githubgithub.com/mauricelambert/CVE-2022-47986★ 2cve_referencepacketstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.htmlunverifiedexploitdbwww.exploit-db.com/exploits/51316unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →