CVE-2023-37398

CVE-2023-37398 is a vulnerability in IBM Aspera Faspex versions 5.0.0 through 5.0.10, where the software does not enforce strong passwords by default. This weakness, classified under CWE-521 (Weak Password Requirements), enables attackers to more readily compromise user accounts through password guessing or brute-force attempts. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility with high attack complexity but significant confidentiality impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. The high attack complexity arises from the need to perform repeated authentication attempts against accounts protected only by weak or default passwords. Successful exploitation allows attackers to gain unauthorized access to compromised user accounts, potentially exposing sensitive data transferred via the Faspex platform.

IBM has published an advisory detailing mitigation steps at https://www.ibm.com/support/pages/node/7181814, which security practitioners should consult for patching and configuration recommendations to enforce stronger password policies.