CVE-2023-35907: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex versions 5.0.0 through 5.0.10 contains a security vulnerability related to weak password requirements by default. This vulnerability was disclosed on January 29, 2025, and is tracked as CVE-2023-35907. The affected software does not enforce strong password requirements in its default configuration, potentially exposing user accounts to compromise (IBM Security Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible (AV:N), requires high attack complexity (AC:H), needs no privileges (PR:N), requires no user interaction (UI:N), has unchanged scope (S:U), and can result in high confidentiality impact (C:H) but no integrity (I:N) or availability (A:N) impact (NVD).

The vulnerability makes it easier for attackers to compromise user accounts due to the lack of strong password requirements in the default configuration. This could potentially lead to unauthorized access to sensitive information and system resources (IBM Security Bulletin).

IBM has released version 5.0.11 of Aspera Faspex to address this vulnerability. It is recommended to upgrade to this version as soon as possible. No specific workarounds have been provided for systems that cannot be immediately upgraded (IBM Security Bulletin).