CVE-2020-4432

HIGH

IBM Aspera Products - Authenticated Command Injection via SOAP API

Title source: llm
STIX 2.1

Description

Certain IBM Aspera applications are vulnerable to command injection after valid authentication, which could allow an attacker with intimate knowledge of the system to execute commands in a SOAP API. IBM X-Force ID: 180810.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
https://www.ibm.com/support/pages/node/6221324
VDB Entry, Vendor Advisory vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/180810

Scores

CVSS v3 7.5
EPSS 0.0342
EPSS Percentile 87.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-77
Status published
Products (10)
ibm/aspera_application_platform_on_demand < 3.7.4
ibm/aspera_faspex_on_demand < 3.7.4
ibm/aspera_high-speed_transfer_endpoint < 3.9.3
ibm/aspera_high-speed_transfer_server < 3.9.3
ibm/aspera_high-speed_transfer_server_for_cloud_pak_for_integration < 3.9.10
ibm/aspera_proxy_server < 1.4.3
ibm/aspera_server_on_demand < 3.7.4
ibm/aspera_shares_on_demand < 3.7.4
ibm/aspera_streaming < 3.9.3
ibm/aspera_transfer_cluster_manager < 1.3.1
Published Jun 10, 2020
Tracked Since Feb 18, 2026