According to its self-reported version, the instance of IBM Aspera Faspex running on the remote web server is prior to 4.4.2 Patch Level 2. It is, therefore, affected by multiple vulnerabilities, including:

– IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. (CVE-2022-47986)

– zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. (CVE-2018-25032)

– Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. (CVE-2022-26377)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.Read More