CVE-2023-30995: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex versions 4.0 through 4.4.2 and 5.0 through 5.0.5 were found to contain a security vulnerability identified as CVE-2023-30995. The vulnerability was discovered by a security researcher known as tdragon6 and was publicly disclosed in October 2023. This vulnerability affects the IP whitelist restriction functionality of the Aspera Faspex application (IBM Security Bulletin).

The vulnerability allows a malicious actor to bypass IP whitelist restrictions by using a specially crafted HTTP request. The severity of this vulnerability has been assessed with a CVSS Base score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

If exploited, this vulnerability could allow attackers to bypass IP whitelist restrictions that are meant to control access to the system. This is not an unauthorized user access exploit, but it compromises the intended access control mechanisms of the application (IBM Security Bulletin).

IBM has released patches to address this vulnerability. Users are recommended to either upgrade to Faspex v5.0.6 or apply the latest patch. For version 4.x users, patch level 4.4.2 PL4 is available for both Linux and Windows platforms. Given the impending end of service for Version 4, IBM strongly recommends upgrading to version 5.0.6 (IBM Security Bulletin).