CVE-2023-27873: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex 4.4.2 contains a security vulnerability that allows remote authenticated attackers to obtain sensitive credential information through specially crafted XML input. The vulnerability was discovered and disclosed in March 2023, affecting IBM Aspera Faspex version 4.4.2 PL2 and earlier versions (IBM Advisory).

The vulnerability is tracked as CVE-2023-27873 and has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires network access and low privileges to exploit, requires no user interaction, and can result in high confidentiality impact without affecting integrity or availability (NVD).

The vulnerability allows authenticated attackers to access sensitive credential information through malicious XML input manipulation. This could potentially lead to unauthorized access to credential data, compromising the confidentiality of sensitive information stored in the system (IBM Advisory).

IBM has released patch level 3 (PL3) for Aspera Faspex 4.4.2 to address this vulnerability. Users are recommended to either upgrade to Faspex v5.0.4 or apply the 4.4.2 PL3 patch. Given the impending end of service for Version 4, IBM strongly recommends upgrading to version 5 (IBM Advisory).