SB2023031554 - Multiple vulnerabilities in Lenovo XClarity Controller (XCC)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023031554

SB2023031554 - Multiple vulnerabilities in Lenovo XClarity Controller (XCC)

Published: March 15, 2023

Security Bulletin ID SB2023031554
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2023-0683)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the API. A remote user can send a specially crafted request to the API and gain unauthorized access to the application.


2) Format string error (CVE-ID: CVE-2023-25492)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a format string error within the XCC web interface. A remote user can send a specially crafted HTTP request to the API and perform a denial of service (DoS) attack.


3) Information disclosure (CVE-ID: CVE-2023-25495)

The vulnerability allows a remote administrator to gain access to sensitive information.

The vulnerability exists due to API exposes LDAP configuration, including the configured LDAP client password used by XCC to authenticate to an external LDAP server. A remote privileged user can gain access to sensitive information.


Remediation

Install update from vendor's website.

References