CVE-2023-37395: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex versions 5.0.0 through 5.0.7 contains a security vulnerability (CVE-2023-37395) that could allow a local user to obtain sensitive information due to improper encryption of certain data. The vulnerability was disclosed in December 2024 and affects the IBM Aspera Faspex software running on Linux platforms (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 3.3 LOW (NIST) and 2.5 LOW (IBM). The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating that exploitation requires local access, low attack complexity, low privileges, and no user interaction. The vulnerability stems from improper encryption implementation that could expose sensitive data (NVD).

The vulnerability impacts the confidentiality of data by potentially allowing local users to access sensitive information that should be properly encrypted. The vulnerability does not affect system integrity or availability (IBM Advisory).

IBM has released version 5.0.8 to address this vulnerability along with several other security issues. It is recommended to upgrade to this version as soon as possible. No temporary workarounds have been identified (IBM Advisory).