CVE-2022-47986
Published on February 17, 2023
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
Known Exploited Vulnerability
This IBM Aspera Faspex Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw.
The following remediation steps are recommended / required by March 14, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2022-47986 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2022-47986 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2022-47986
You can be notified by stack.watch whenever vulnerabilities like CVE-2022-47986 are published in these products:
What versions are vulnerable to CVE-2022-47986?
Each of the following must match for the vulnerability to exist.