CVE-2022-47986

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html	Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/243512	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6952319	Patch Vendor Advisory
http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html	Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/243512	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6952319	Patch Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986	US Government Resource

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:ibm:aspera_faspex::::::::
	cpe:2.3:a:ibm:aspera_faspex:4.4.2:-::::::
	cpe:2.3:a:ibm:aspera_faspex:4.4.2:patch_level_1::::::

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

27 Oct 2025, 14:14

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986 -~~	() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986 - US Government Resource

22 Oct 2025, 00:18

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986 -

21 Oct 2025, 20:19

Type	Values Removed	Values Added
References	~~{'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}~~

21 Oct 2025, 19:19

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47986 -

13 Feb 2025, 17:15

Type	Values Removed	Values Added
Summary	(en) IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.	(en) IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

21 Nov 2024, 07:32

Type	Values Removed	Values Added
Summary		(es) IBM Aspera Faspex 4.4.2 Patch Level 1 y anteriores podrían permitir que un atacante remoto ejecute código arbitrario en el sistema, causado por una falla de deserialización de YAML. Al enviar una llamada API obsoleta especialmente manipulada, un atacante podría aprovechar esta vulnerabilidad para ejecutar código arbitrario en el sistema. La llamada API obsoleta se eliminó en Faspex 4.4.2 PL2. ID de IBM X-Force: 243512.
References	~~() http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html - Third Party Advisory, VDB Entry~~	() http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html - Third Party Advisory, VDB Entry
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/243512 - VDB Entry, Vendor Advisory~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/243512 - VDB Entry, Vendor Advisory
References	~~() https://www.ibm.com/support/pages/node/6952319 - Patch, Vendor Advisory~~	() https://www.ibm.com/support/pages/node/6952319 - Patch, Vendor Advisory

26 Apr 2023, 20:01

Type	Values Removed	Values Added
References	~~(MISC) http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html -~~	(MISC) http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html - Third Party Advisory, VDB Entry
CPE	cpe:2.3:a:ibm:aspera_faspex:4.4.1:patch_level_1::::::	cpe:2.3:a:ibm:aspera_faspex:4.4.2:-:::::: cpe:2.3:a:ibm:aspera_faspex:4.4.2:patch_level_1::::::

10 Apr 2023, 20:15

Type	Values Removed	Values Added
References		(MISC) http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html -
Summary	IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.	IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

Information

Published : 2023-02-17 16:15

Updated : 2025-10-27 14:14

NVD link : CVE-2022-47986

Mitre link : CVE-2022-47986

CVE.ORG link : CVE-2022-47986

JSON object : View

Products Affected

ibm

aspera_faspex

linux

linux_kernel

microsoft

windows

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10