SB2023031554 - Multiple vulnerabilities in Lenovo XClarity Controller (XCC)
Published: March 15, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2023-0683)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the API. A remote user can send a specially crafted request to the API and gain unauthorized access to the application.
2) Format string error (CVE-ID: CVE-2023-25492)
CWE-ID: CWE-134 - Use of Externally-Controlled Format String
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a format string error within the XCC web interface. A remote user can send a specially crafted HTTP request to the API and perform a denial of service (DoS) attack.
3) Information disclosure (CVE-ID: CVE-2023-25495)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote administrator to gain access to sensitive information.
The vulnerability exists due to API exposes LDAP configuration, including the configured LDAP client password used by XCC to authenticate to an external LDAP server. A remote privileged user can gain access to sensitive information.
Remediation
Install update from vendor's website.