CVE-2023-35907

IBM Aspera Faspex versions 5.0.0 through 5.0.10 are affected by CVE-2023-35907, a vulnerability stemming from the lack of a default requirement for strong passwords (CWE-521). This configuration weakness allows users to set weak passwords, rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.

Remote attackers with no privileges can exploit this over the network without user interaction, though it requires high attack complexity, likely involving brute-force attempts or password guessing against weak credentials. Successful exploitation enables compromise of user accounts, granting high-level access to confidential data within the Faspex environment.

IBM's security advisory at https://www.ibm.com/support/pages/node/7181814 provides details on mitigation, recommending enforcement of strong password policies to address the default configuration issue.