VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2020· Updated Sep 16, 2024

CVE-2020-4435

CVE-2020-4435

Description

Certain IBM Aspera applications are vulnerable to arbitrary memory corruption based on the product configuration, which could allow an attacker with intimate knowledge of the system to execute arbitrary code or perform a denial-of-service (DoS) through the http fallback service. IBM X-Force ID: 180901.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Aspera applications have an arbitrary memory corruption flaw in the HTTP fallback service that can lead to code execution or denial-of-service (DoS) by an attacker with system knowledge.

Vulnerability

Certain IBM Aspera applications are vulnerable to arbitrary memory corruption via the HTTP fallback service, as described in the IBM security bulletin [1]. The vulnerability affects the product's configuration; the exact versions are not individually listed in the available references, but the bulletin indicates fixes are included in the product versions detailed on the support page [1]. The CVSS base score is 7.5, with a vector of (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) per the CVE description, indicating the attacker must have low privileges and the attack is complex [1].

Exploitation

An attacker requires intimate knowledge of the system and must be able to interact with the HTTP fallback service [1]. According to the CVE description, exploitation depends on product configuration. The attacker must have low privileges (PR:L), and the attack complexity is high (AC:H), meaning successful exploitation requires specific conditions or repeated attempts. No user interaction is required (UI:N) [1].

Impact

On successful exploitation, the attacker can achieve arbitrary memory corruption, leading to arbitrary code execution or a denial-of-service (DoS) condition. The scope is unchanged (S:U), and the confidentiality, integrity, and availability impacts are all rated high (C:H/I:H/A:H) [1].

Mitigation

The vulnerability is fixed in the product versions listed in the IBM security bulletin [1]; the bulletin provides a table of affected components and their corresponding fixed versions. Users should apply the updates as specified. No workarounds are mentioned in the available references.

References
  1. Security Bulletin: Various vulnerabilities affecting certain Aspera applications (CVE-2020-4432, CVE-2020-4433, CVE-2020-4434, CVE-2020-4435, CVE-2020-4436)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • IBM/Asperallm-fuzzy
  • IBM/Aspera Application Platform On Demandv5
    Range: 3.7.4
  • IBM/Aspera Faspex On Demandv5
    Range: 3.7.4
  • IBM/Aspera High-Speed Transfercpe-rescue2 versions
    3.9.3+ 1 more
    • (no CPE)range: 3.9.3
    • (no CPE)range: 3.9.3
  • IBM/Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)v5
    Range: 3.9.10
  • IBM/Aspera Proxy Serverv5
    Range: 1.4.3
  • IBM/Aspera Server On Demandv5
    Range: 3.7.4
  • IBM/Aspera Sharescpe-rescue
    Range: 3.7.4
  • IBM/Aspera Streamingv5
    Range: 3.9.3
  • IBM/Aspera Transfer Cluster Managerv5
    Range: 1.3.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.