CVE-2023-27874: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. The vulnerability, identified as CVE-2023-27874, was discovered and disclosed in March 2023. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. The affected system is IBM Aspera Faspex version 4.4.2 and earlier versions (IBM Advisory).

The vulnerability is classified as an XML external entity injection (XXE) attack vulnerability. The CVSS v3.1 base score is 9.9 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating a network-accessible vulnerability with low attack complexity, requiring low privileges, no user interaction, and having critical impact on confidentiality, integrity, and availability. The vulnerability is tracked under IBM X-Force ID: 249845 (NVD).

The vulnerability allows remote authenticated attackers to execute arbitrary commands through XML data processing. This presents a severe security risk as it could lead to complete system compromise, including unauthorized access to sensitive data, system manipulation, and potential service disruption (IBM Advisory).

IBM has released multiple mitigation options: 1) Upgrade to Faspex v5, which is the recommended action given the impending end of service of Version 4, or 2) Apply the latest version 4 patch - 4.4.2 PL3. The patch is available for both Windows and Linux platforms. The fix specifically mitigates CVE-2023-27874 (IBM Advisory).