CVE-2022-47986

CVE Published	2023-02-17
Related CWE(s)	CWE-502: Deserialization of Untrusted Data
Related Vendor(s)	ibm
Related Product(s)	aspera_faspex
Exploitation Reported (CISA KEV)	2023-02-21
CVSS 3 Base Score	9.8 (CRITICAL)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Threat Reports Related to CVE-2022-47986

Report

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

This report from Microsoft Threat Intelligence describes a subset of activity related to the Mint Sandstorm actor. The campaign includes the theft ...

View Source

Associated CAPEC Patterns

Object Injection (CAPEC-586)

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.

References