CVE-2023-37401 - Vulnerability Details - OpenCVE

IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Ibm	Aspera Faspex

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below. ProductFixing VRMPlatformLink to FixIBM Aspera Faspex5.0.14 Linux click here https://www.ibm.com/support/fixcentral/swg/downloadFixes

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.ibm.com/support/pages/node/7247502

History

Thu, 09 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Oct 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted.
Title		IBM Aspera Faspex cross-origin resource sharing
First Time appeared		Ibm Ibm aspera Faspex
Weaknesses		CWE-942
CPEs		cpe:2.3:a:ibm:aspera_faspex:5.0.0.0:::::::* cpe:2.3:a:ibm:aspera_faspex:5.0.13.1:::::::*
Vendors & Products		Ibm Ibm aspera Faspex
References		https://www.ibm.com/support/pages/node/7247502
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2025-10-09T13:54:38.846Z

Updated: 2025-10-09T19:06:07.254Z

Reserved: 2023-07-05T15:59:03.335Z

Link: CVE-2023-37401

Vulnrichment

Updated: 2025-10-09T19:06:04.012Z

NVD

Status : Awaiting Analysis

Published: 2025-10-09T14:15:53.703

Modified: 2025-10-09T15:50:04.013

Link: CVE-2023-37401

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37401", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2023-07-05T15:59:03.335Z", "datePublished": "2025-10-09T13:54:38.846Z", "dateUpdated": "2025-10-09T19:06:07.254Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:aspera_faspex:5.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:aspera_faspex:5.0.13.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "Aspera Faspex", "vendor": "IBM", "versions": [{"lessThanOrEqual": "5.0.13.1", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted."}], "value": "IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "description": "CWE-942 Overly Permissive Cross-domain Whitelist", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-10-09T13:56:50.098Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7247502"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below.</div><p> </p><div><table><tbody><tr><td><strong>Product</strong></td><td><strong>Fixing VRM</strong></td><td><strong>Platform</strong></td><td><strong>Link to Fix</strong></td></tr><tr><td>IBM Aspera Faspex</td><td><div>5.0.14</div></td><td>Linux</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/IBM+Aspera+Faspex+Server&release=All&platform=All&function=fixId&fixids=ibm-aspera-faspex-5.0.14.8861.x86_64&includeRequisites=1&includeSupersedes=0&downloadMethod=http\">click here</a></td></tr></tbody></table></div><p> </p>\n\n<br>"}], "value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below.\n\n\u00a0\n\nProductFixing VRMPlatformLink to FixIBM Aspera Faspex5.0.14\n\nLinux click here https://www.ibm.com/support/fixcentral/swg/downloadFixes"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Aspera Faspex cross-origin resource sharing", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-09T19:05:57.796792Z", "id": "CVE-2023-37401", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T19:06:07.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-09T19:05:57.796792Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T19:06:04.012Z"}}], "cna": {"title": "IBM Aspera Faspex cross-origin resource sharing", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:aspera_faspex:5.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:aspera_faspex:5.0.13.1:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Aspera Faspex", "versions": [{"status": "affected", "version": "5.0.0", "versionType": "semver", "lessThanOrEqual": "5.0.13.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below.\n\n\u00a0\n\nProductFixing VRMPlatformLink to FixIBM Aspera Faspex5.0.14\n\nLinux click here https://www.ibm.com/support/fixcentral/swg/downloadFixes", "supportingMedia": [{"type": "text/html", "value": "<div>IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below.</div><p> </p><div><table><tbody><tr><td><strong>Product</strong></td><td><strong>Fixing VRM</strong></td><td><strong>Platform</strong></td><td><strong>Link to Fix</strong></td></tr><tr><td>IBM Aspera Faspex</td><td><div>5.0.14</div></td><td>Linux</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/IBM+Aspera+Faspex+Server&release=All&platform=All&function=fixId&fixids=ibm-aspera-faspex-5.0.14.8861.x86_64&includeRequisites=1&includeSupersedes=0&downloadMethod=http\">click here</a></td></tr></tbody></table></div><p> </p>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7247502", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted.", "supportingMedia": [{"type": "text/html", "value": "IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942 Overly Permissive Cross-domain Whitelist"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-10-09T13:56:50.098Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37401", "state": "PUBLISHED", "dateUpdated": "2025-10-09T19:06:07.254Z", "dateReserved": "2023-07-05T15:59:03.335Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2025-10-09T13:54:38.846Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}