VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2020· Updated Sep 16, 2024

CVE-2020-4432

CVE-2020-4432

Description

Certain IBM Aspera applications are vulnerable to command injection after valid authentication, which could allow an attacker with intimate knowledge of the system to execute commands in a SOAP API. IBM X-Force ID: 180810.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Aspera applications are vulnerable to authenticated command injection via SOAP API, allowing arbitrary command execution.

Vulnerability

CVE-2020-4432 is a command injection vulnerability in certain IBM Aspera applications. An attacker with valid authentication and intimate knowledge of the system can inject commands through the SOAP API. The affected products and versions are listed in the IBM security bulletin [1].

Exploitation

The attacker must have valid authentication and intimate knowledge of the system. The vulnerability exists in the SOAP API. Specific steps are not detailed in the references, but an attacker can send crafted SOAP requests to inject arbitrary commands.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the system. This could lead to full compromise of confidentiality, integrity, and availability (CIA) depending on the privileges of the application.

Mitigation

IBM has released fixes for the affected products as listed in the security bulletin [1]. Users should apply the latest updates. No workaround is mentioned in the available references.

References
  1. Security Bulletin: Various vulnerabilities affecting certain Aspera applications (CVE-2020-4432, CVE-2020-4433, CVE-2020-4434, CVE-2020-4435, CVE-2020-4436)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • IBM/Asperallm-fuzzy
  • IBM/Aspera Application Platform On Demandv5
    Range: 3.7.4
  • IBM/Aspera Faspex On Demandv5
    Range: 3.7.4
  • IBM/Aspera High-Speed Transfercpe-rescue2 versions
    3.9.3+ 1 more
    • (no CPE)range: 3.9.3
    • (no CPE)range: 3.9.3
  • IBM/Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)v5
    Range: 3.9.10
  • IBM/Aspera Proxy Serverv5
    Range: 1.4.3
  • IBM/Aspera Server On Demandv5
    Range: 3.7.4
  • IBM/Aspera Sharescpe-rescue
    Range: 3.7.4
  • IBM/Aspera Streamingv5
    Range: 3.9.3
  • IBM/Aspera Transfer Cluster Managerv5
    Range: 1.3.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.