IBM Aspera Faspex Users Beware of XML External Entity Injection Vulnerability

CVECVE-2023-27874
CVSScvssV3_1: 9.9
SourceCVE-2023-27874

IBM Aspera Faspex, a file transfer software, is vulnerable to a XML external entity injection (XXE) attack in versions prior to 4.4.2. XXE attacks abuse features of XML processors to access files, internal network services, and external web sites during XML parsing.

An authenticated remote attacker could exploit this vulnerability by sending a specially crafted XML file containing external entity references to the affected software. This would allow the attacker to read arbitrary files in the system or perform denial of service attacks.

XXE attacks work by defining external entities in XML files that are then processed by the XML parser. These external entities can then access local or remote content via file system, network protocols or the document base URI. When the XML file containing the external entity is parsed, the entity is dereferenced and its content included in the XML document.

Users of IBM Aspera Faspex versions prior to 4.4.2 are recommended to upgrade immediately to patch this vulnerability. Proper access controls and input validation on untrusted XML data can also help prevent such attacks. Regular patching of software components is also important to get the latest security fixes for vulnerabilities.

References