CVE-2022-22401: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex 5.0.5 contains a security vulnerability (CVE-2022-22401) that could allow a remote attacker to gather or persuade a naive user to supply sensitive information. The vulnerability was disclosed on September 8, 2023, and affects IBM Aspera Faspex versions up to and including 5.0.5 (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while IBM rated it with a score of 5.9 MEDIUM and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-311 (Missing Encryption of Sensitive Data) (NVD).

The vulnerability primarily affects the confidentiality of information, with potential for sensitive data exposure. An attacker could successfully gather sensitive information or manipulate users into providing sensitive data (IBM Advisory).

IBM has released version 5.0.6 of Aspera Faspex to address this vulnerability along with several others. It is recommended to upgrade to this version as soon as possible. No specific workarounds have been provided as alternatives to upgrading (IBM Advisory).