CVE-2023-22869: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex versions 5.0.0 through 5.0.7 contains a vulnerability that stores potentially sensitive information in log files that could be read by a local user. The vulnerability was assigned CVE-2023-22869 and was disclosed on April 19, 2024. This security issue affects the IBM Aspera Faspex software platform (IBM Security Bulletin, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access, low attack complexity, low privileges, and no user interaction. The scope is unchanged, with high impact on confidentiality but no impact on integrity or availability. The vulnerability is classified as CWE-532: Insertion of Sensitive Information into Log File (NVD, X-Force Exchange).

The vulnerability allows a local user to access potentially sensitive information stored in log files. The primary impact is on confidentiality, as it could lead to unauthorized disclosure of sensitive data. There is no direct impact on system integrity or availability (IBM Security Bulletin).

IBM has released version 5.0.8 of Aspera Faspex to address this vulnerability. It is recommended to upgrade to this version as soon as possible. No alternative workarounds have been provided (IBM Security Bulletin).