Multiple vulnerabilities in Lenovo XClarity Controller (XCC)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-4606 CVE-2023-4607 CVE-2023-4608 |
| CWE-ID | CWE-264 CWE-89 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ThinkAgile HX5530 Appliance Hardware solutions / Firmware ThinkAgile HX7530 Appliance Hardware solutions / Firmware ThinkAgile VX3331 Certified Node Hardware solutions / Firmware ThinkAgile HX1331 Certified Node Hardware solutions / Firmware ThinkAgile HX2330 Appliance Hardware solutions / Firmware ThinkAgile HX2331 Certified Node Hardware solutions / Firmware ThinkAgile HX3330 Appliance Hardware solutions / Firmware ThinkAgile HX3331 Certified Node Hardware solutions / Firmware ThinkAgile HX3331 Node SAP HANA Hardware solutions / Firmware ThinkAgile HX3375 Appliance Hardware solutions / Firmware ThinkAgile HX3376 Certified Node Hardware solutions / Firmware ThinkAgile HX5531 Certified Node Hardware solutions / Firmware ThinkAgile HX7530 Appl for SAP HANA Hardware solutions / Firmware ThinkAgile HX7531 Certified Node Hardware solutions / Firmware ThinkAgile HX7531 Node SAP HANA Hardware solutions / Firmware ThinkAgile MX3330-F All-flash Appliance Hardware solutions / Firmware ThinkAgile MX3330-H Hybrid Appliance Hardware solutions / Firmware ThinkAgile MX3331-F All-flash Certified node Hardware solutions / Firmware ThinkAgile MX3331-H Hybrid Certified node Hardware solutions / Firmware ThinkAgile MX3530 F All flash Appliance Hardware solutions / Firmware ThinkAgile MX3530-H Hybrid Appliance Hardware solutions / Firmware ThinkAgile MX3531 H Hybrid Certified node Hardware solutions / Firmware ThinkAgile MX3531-F All-flash Certified node Hardware solutions / Firmware ThinkAgile VX2330 Appliance Hardware solutions / Firmware ThinkAgile VX3330 Appliance Hardware solutions / Firmware ThinkAgile VX3530-G Appliance Hardware solutions / Firmware ThinkAgile VX5530 Appliance Hardware solutions / Firmware Thinkagile VX7330 Appliance Hardware solutions / Firmware ThinkAgile VX7530 Appliance Hardware solutions / Firmware ThinkAgile VX7531 Certified Node Hardware solutions / Firmware ThinkSystem SD630 V2 Hardware solutions / Firmware ThinkSystem SD650 V2 Hardware solutions / Firmware ThinkSystem SD650 V3 Hardware solutions / Firmware ThinkSystem SD650-N V2 Hardware solutions / Firmware ThinkSystem SD665 V3 Hardware solutions / Firmware ThinkSystem SN550 V2 Hardware solutions / Firmware ThinkSystem SR250 V2 Hardware solutions / Firmware ThinkSystem SR258 V2 Hardware solutions / Firmware ThinkSystem SR630 V2 Hardware solutions / Firmware ThinkSystem SR630 V3 Hardware solutions / Firmware ThinkSystem SR635 V3 Hardware solutions / Firmware ThinkSystem SR645 Hardware solutions / Firmware ThinkSystem SR645 V3 Hardware solutions / Firmware ThinkSystem SR650 V2 Hardware solutions / Firmware ThinkSystem SR650 V3 Hardware solutions / Firmware ThinkSystem SR655 V3 Hardware solutions / Firmware ThinkSystem SR665 Hardware solutions / Firmware ThinkSystem SR665 V3 Hardware solutions / Firmware ThinkSystem SR670 V2 Hardware solutions / Firmware ThinkSystem SR675 V3 Hardware solutions / Firmware ThinkSystem SR850 V2 Hardware solutions / Firmware ThinkSystem SR850 V3 Hardware solutions / Firmware ThinkSystem SR860 V2 Hardware solutions / Firmware ThinkSystem SR860 V3 Hardware solutions / Firmware ThinkSystem ST250 V2 Hardware solutions / Firmware ThinkSystem ST258 V2 Hardware solutions / Firmware ThinkSystem ST650 V2 Hardware solutions / Firmware ThinkSystem ST650 V3 Hardware solutions / Firmware ThinkSystem ST658 V2 Hardware solutions / Firmware ThinkSystem ST658 V3 Hardware solutions / Firmware ThinkAgile HX Enclosure Certified Node Hardware solutions / Firmware ThinkAgile HX1021 Edge Certified Node 3yr Hardware solutions / Firmware ThinkAgile HX1320 Appliance Hardware solutions / Firmware ThinkAgile HX1321 Certified Node Hardware solutions / Firmware ThinkAgile HX1520-R Appliance Hardware solutions / Firmware ThinkAgile HX1521-R Certified Node Hardware solutions / Firmware ThinkAgile HX2320-E Appliance Hardware solutions / Firmware ThinkAgile HX2321 Certified Node Hardware solutions / Firmware ThinkAgile HX2720-E Appliance Hardware solutions / Firmware ThinkAgile HX3320 Appliance Hardware solutions / Firmware ThinkAgile HX3321 Certified Node Hardware solutions / Firmware ThinkAgile HX3520-G Appliance Hardware solutions / Firmware ThinkAgile HX3521-G Certified Node Hardware solutions / Firmware ThinkAgile HX3720 Appliance Hardware solutions / Firmware ThinkAgile HX3721 Certified Node Hardware solutions / Firmware ThinkAgile HX5520 Appliance Hardware solutions / Firmware ThinkAgile HX5520-C Appliance Hardware solutions / Firmware ThinkAgile HX5521 Certified Node Hardware solutions / Firmware ThinkAgile HX5521-C Certified Node Hardware solutions / Firmware ThinkAgile HX7520 Appliance Hardware solutions / Firmware ThinkAgile HX7521 Certified Node Hardware solutions / Firmware ThinkAgile HX7820 Appliance Hardware solutions / Firmware ThinkAgile HX7821 Certified Node Hardware solutions / Firmware ThinkAgile MX Edge Appliance - MX1020 Hardware solutions / Firmware ThinkAgile MX630 V3 Certified Node Hardware solutions / Firmware ThinkAgile MX630 V3 Integrated System Hardware solutions / Firmware ThinkAgile MX650 V3 Certified Node Hardware solutions / Firmware ThinkAgile MX650 v3 Integrated System Hardware solutions / Firmware ThinkAgile MX1021 on SE350 Hardware solutions / Firmware ThinkAgile VX 1SE Certified Node Hardware solutions / Firmware ThinkAgile VX 2U4N Certified Node Hardware solutions / Firmware ThinkAgile VX 4U Certified Node Hardware solutions / Firmware ThinkAgile VX1320 Hardware solutions / Firmware ThinkAgile VX2320 Hardware solutions / Firmware ThinkAgile VX3320 Hardware solutions / Firmware ThinkAgile VX3520-G Hardware solutions / Firmware ThinkAgile VX3720 Hardware solutions / Firmware ThinkAgile VX5520 Hardware solutions / Firmware ThinkAgile VX7320 N Hardware solutions / Firmware ThinkAgile VX7520 Hardware solutions / Firmware ThinkAgile VX7520 N Hardware solutions / Firmware ThinkAgile VX7820 Hardware solutions / Firmware ThinkEdge SE450 Hardware solutions / Firmware ThinkStation P920 Rack Workstation Hardware solutions / Firmware ThinkSystem SD530 Hardware solutions / Firmware ThinkSystem SD650 DWC Dual Node Tray Hardware solutions / Firmware ThinkSystem SE350 Hardware solutions / Firmware ThinkSystem SN550 Hardware solutions / Firmware ThinkSystem SN850 Hardware solutions / Firmware ThinkSystem SR150 Hardware solutions / Firmware ThinkSystem SR158 Hardware solutions / Firmware ThinkSystem SR250 Hardware solutions / Firmware ThinkSystem SR258 Hardware solutions / Firmware ThinkSystem SR530 Hardware solutions / Firmware ThinkSystem SR550 Hardware solutions / Firmware ThinkSystem SR570 Hardware solutions / Firmware ThinkSystem SR590 Hardware solutions / Firmware ThinkSystem SR630 Hardware solutions / Firmware ThinkSystem SR650 Hardware solutions / Firmware ThinkSystem SR670 Hardware solutions / Firmware ThinkSystem SR850 Hardware solutions / Firmware ThinkSystem SR850P Hardware solutions / Firmware ThinkSystem SR860 Hardware solutions / Firmware ThinkSystem SR950 Hardware solutions / Firmware ThinkSystem ST250 Hardware solutions / Firmware ThinkSystem ST258 Hardware solutions / Firmware ThinkSystem ST550 Hardware solutions / Firmware |
| Vendor |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU80745
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4606
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions. A remote authenticated Lenovo XClarity Controller (XCC) user with ReadOnly permissions can use an API command to change password of another user.
Install updates from vendor's website.
Vulnerable software versionsThinkAgile HX5530 Appliance: before 2.85 TGBT44N
ThinkAgile HX7530 Appliance: before 2.85 TGBT44N
ThinkAgile VX3331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX1331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX2330 Appliance: before 2.85 TGBT44N
ThinkAgile HX2331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX3330 Appliance: before 2.85 TGBT44N
ThinkAgile HX3331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX3331 Node SAP HANA: before 2.85 TGBT44N
ThinkAgile HX3375 Appliance: before 5.00 D8BT54M
ThinkAgile HX3376 Certified Node: before 5.00 D8BT54M
ThinkAgile HX5531 Certified Node: before 2.85 TGBT44N
ThinkAgile HX7530 Appl for SAP HANA: before 2.85 TGBT44N
ThinkAgile HX7531 Certified Node: before 2.85 TGBT44N
ThinkAgile HX7531 Node SAP HANA: before 2.85 TGBT44N
ThinkAgile MX3330-F All-flash Appliance: before 2.85 TGBT44N
ThinkAgile MX3330-H Hybrid Appliance: before 2.85 TGBT44N
ThinkAgile MX3331-F All-flash Certified node: before 2.85 TGBT44N
ThinkAgile MX3331-H Hybrid Certified node: before 2.85 TGBT44N
ThinkAgile MX3530 F All flash Appliance: before 2.85 TGBT44N
ThinkAgile MX3530-H Hybrid Appliance: before 2.85 TGBT44N
ThinkAgile MX3531 H Hybrid Certified node: before 2.85 TGBT44N
ThinkAgile MX3531-F All-flash Certified node: before 2.85 TGBT44N
ThinkAgile VX2330 Appliance: before 2.85 TGBT44N
ThinkAgile VX3330 Appliance: before 2.85 TGBT44N
ThinkAgile VX3530-G Appliance: before 2.85 TGBT44N
ThinkAgile VX5530 Appliance: before 2.85 TGBT44N
Thinkagile VX7330 Appliance: before 2.85 TGBT44N
ThinkAgile VX7530 Appliance: before 2.85 TGBT44N
ThinkAgile VX7531 Certified Node: before 2.85 TGBT44N
ThinkSystem SD630 V2: before 2.85 TGBT44N
ThinkSystem SD650 V2: before 2.85 TGBT44N
ThinkSystem SD650 V3: before 2.12 USX320Y
ThinkSystem SD650-N V2: before 2.85 TGBT44N
ThinkSystem SD665 V3: before 2.12 KAX318V
ThinkSystem SN550 V2: before 2.85 TGBT44N
ThinkSystem SR250 V2: before 2.85 TGBT44N
ThinkSystem SR258 V2: before 2.85 TGBT44N
ThinkSystem SR630 V2: before 2.85 TGBT44N
ThinkSystem SR630 V3: before 2.14 ESE114R
ThinkSystem SR635 V3: before 2.12 KAX318V
ThinkSystem SR645: before 5.00 D8BT54M
ThinkSystem SR645 V3: before 2.12 KAX318V
ThinkSystem SR650 V2: before 2.85 TGBT44N
ThinkSystem SR650 V3: before 2.14 ESE114R
ThinkSystem SR655 V3: before 2.12 KAX318V
ThinkSystem SR665: before 5.00 D8BT54M
ThinkSystem SR665 V3: before 2.12 KAX318V
ThinkSystem SR670 V2: before 2.85 TGBT44N
ThinkSystem SR675 V3: before 1.11 QGX318C
ThinkSystem SR850 V2: before 2.85 TGBT44N
ThinkSystem SR850 V3: before 1.11 RSX306C
ThinkSystem SR860 V2: before 2.85 TGBT44N
ThinkSystem SR860 V3: before 1.11 RSX306C
ThinkSystem ST250 V2: before 2.85 TGBT44N
ThinkSystem ST258 V2: before 2.85 TGBT44N
ThinkSystem ST650 V2: before 2.85 TGBT44N
ThinkSystem ST650 V3: before 2.17 USX330E
ThinkSystem ST658 V2: before 2.85 TGBT44N
ThinkSystem ST658 V3: before 2.17 USX330E
External linkshttp://support.lenovo.com/us/en/product_security/LEN-140960
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU80746
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4607
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions. A local authenticated Lenovo XClarity Controller (XCC) user can change permissions for any user through a crafted API command. MitigationInstall updates from vendor's website.
Vulnerable software versionsThinkAgile HX5530 Appliance: before 2.85 TGBT44N
ThinkAgile HX7530 Appliance: before 2.85 TGBT44N
ThinkAgile VX3331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX Enclosure Certified Node: before 6.20 TEI3F2H
ThinkAgile HX1021 Edge Certified Node 3yr: before 3.91 TEI3E2G
ThinkAgile HX1320 Appliance: before 9.80 CDI3B2H
ThinkAgile HX1321 Certified Node: before 9.80 CDI3B2H
ThinkAgile HX1331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX1520-R Appliance: before 9.80 CDI3B2H
ThinkAgile HX1521-R Certified Node: before 9.80 CDI3B2H
ThinkAgile HX2320-E Appliance: before 9.80 CDI3B2H
ThinkAgile HX2321 Certified Node: before 9.80 CDI3B2H
ThinkAgile HX2330 Appliance: before 2.85 TGBT44N
ThinkAgile HX2331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX2720-E Appliance: before 6.20 TEI3F2H
ThinkAgile HX3320 Appliance: before 9.80 CDI3B2H
ThinkAgile HX3321 Certified Node: before 9.80 CDI3B2H
ThinkAgile HX3330 Appliance: before 2.85 TGBT44N
ThinkAgile HX3331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX3331 Node SAP HANA: before 2.85 TGBT44N
ThinkAgile HX3375 Appliance: before 5.00 D8BT54M
ThinkAgile HX3376 Certified Node: before 5.00 D8BT54M
ThinkAgile HX3520-G Appliance: before 9.80 CDI3B2H
ThinkAgile HX3521-G Certified Node: before 9.80 CDI3B2H
ThinkAgile HX3720 Appliance: before 6.20 TEI3F2H
ThinkAgile HX3721 Certified Node: before 6.20 TEI3F2H
ThinkAgile HX5520 Appliance: before 9.80 CDI3B2H
ThinkAgile HX5520-C Appliance: before 9.80 CDI3B2H
ThinkAgile HX5521 Certified Node: before 9.80 CDI3B2H
ThinkAgile HX5521-C Certified Node: before 9.80 CDI3B2H
ThinkAgile HX5531 Certified Node: before 2.85 TGBT44N
ThinkAgile HX7520 Appliance: before 9.80 CDI3B2H
ThinkAgile HX7521 Certified Node: before 9.80 CDI3B2H
ThinkAgile HX7530 Appl for SAP HANA: before 2.85 TGBT44N
ThinkAgile HX7531 Certified Node: before 2.85 TGBT44N
ThinkAgile HX7531 Node SAP HANA: before 2.85 TGBT44N
ThinkAgile HX7820 Appliance: before 2.90 PSI352F
ThinkAgile HX7821 Certified Node: before 2.90 PSI352F
ThinkAgile MX Edge Appliance - MX1020: before 3.91 TEI3E2G
ThinkAgile MX3330-F All-flash Appliance: before 2.85 TGBT44N
ThinkAgile MX3330-H Hybrid Appliance: before 2.85 TGBT44N
ThinkAgile MX3331-F All-flash Certified node: before 2.85 TGBT44N
ThinkAgile MX3331-H Hybrid Certified node: before 2.85 TGBT44N
ThinkAgile MX3530 F All flash Appliance: before 2.85 TGBT44N
ThinkAgile MX3530-H Hybrid Appliance: before 2.85 TGBT44N
ThinkAgile MX3531 H Hybrid Certified node: before 2.85 TGBT44N
ThinkAgile MX3531-F All-flash Certified node: before 2.85 TGBT44N
ThinkAgile MX630 V3 Certified Node: before 2.14 ESE114R
ThinkAgile MX630 V3 Integrated System: before 2.14 ESE114R
ThinkAgile MX650 V3 Certified Node: before 2.14 ESE114R
ThinkAgile MX650 v3 Integrated System: before 2.14 ESE114R
ThinkAgile MX1021 on SE350: before 3.91 TEI3E2G
ThinkAgile VX 1SE Certified Node: before 6.20 TEI3F2H
ThinkAgile VX 2U4N Certified Node: before 6.20 TEI3F2H
ThinkAgile VX 4U Certified Node: before 2.90 PSI352F
ThinkAgile VX1320: before 6.20 TEI3F2H
ThinkAgile VX2320: before 9.80 CDI3B2H
ThinkAgile VX2330 Appliance: before 2.85 TGBT44N
ThinkAgile VX3320: before 9.80 CDI3B2H
ThinkAgile VX3330 Appliance: before 2.85 TGBT44N
ThinkAgile VX3520-G: before 9.80 CDI3B2H
ThinkAgile VX3530-G Appliance: before 2.85 TGBT44N
ThinkAgile VX3720: before 6.20 TEI3F2H
ThinkAgile VX5520: before 9.80 CDI3B2H
ThinkAgile VX5530 Appliance: before 2.85 TGBT44N
ThinkAgile VX7320 N: before 9.80 CDI3B2H
Thinkagile VX7330 Appliance: before 2.85 TGBT44N
ThinkAgile VX7520: before 9.80 CDI3B2H
ThinkAgile VX7520 N: before 9.80 CDI3B2H
ThinkAgile VX7530 Appliance: before 2.85 TGBT44N
ThinkAgile VX7531 Certified Node: before 2.85 TGBT44N
ThinkAgile VX7820: before 2.90 PSI352F
ThinkEdge SE450: before 1.70 USX326L
ThinkStation P920 Rack Workstation: before 9.80 CDI3B2H
ThinkSystem SD530: before 6.20 TEI3F2H
ThinkSystem SD630 V2: before 2.85 TGBT44N
ThinkSystem SD650 DWC Dual Node Tray: before 6.20 TEI3F2H
ThinkSystem SD650 V2: before 2.85 TGBT44N
ThinkSystem SD650 V3: before 2.12 USX320Y
ThinkSystem SD650-N V2: before 2.85 TGBT44N
ThinkSystem SD665 V3: before 2.12 KAX318V
ThinkSystem SE350: before 3.91 TEI3E2G
ThinkSystem SN550: before 6.20 TEI3F2H
ThinkSystem SN550 V2: before 2.85 TGBT44N
ThinkSystem SN850: before 6.20 TEI3F2H
ThinkSystem SR150: before 6.20 TEI3F2H
ThinkSystem SR158: before 6.20 TEI3F2H
ThinkSystem SR250: before 6.20 TEI3F2H
ThinkSystem SR250 V2: before 2.85 TGBT44N
ThinkSystem SR258: before 6.20 TEI3F2H
ThinkSystem SR258 V2: before 2.85 TGBT44N
ThinkSystem SR530: before 9.80 CDI3B2H
ThinkSystem SR550: before 9.80 CDI3B2H
ThinkSystem SR570: before 9.80 CDI3B2H
ThinkSystem SR590: before 9.80 CDI3B2H
ThinkSystem SR630: before 9.80 CDI3B2H
ThinkSystem SR630 V2: before 2.85 TGBT44N
ThinkSystem SR630 V3: before 2.14 ESE114R
ThinkSystem SR635 V3: before 2.12 KAX318V
ThinkSystem SR645: before 5.00 D8BT54M
ThinkSystem SR645 V3: before 2.12 KAX318V
ThinkSystem SR650: before 9.80 CDI3B2H
ThinkSystem SR650 V2: before 2.85 TGBT44N
ThinkSystem SR650 V3: before 2.14 ESE114R
ThinkSystem SR655 V3: before 2.12 KAX318V
ThinkSystem SR665: before 5.00 D8BT54M
ThinkSystem SR665 V3: before 2.12 KAX318V
ThinkSystem SR670: before 3.91 TEI3E2G
ThinkSystem SR670 V2: before 2.85 TGBT44N
ThinkSystem SR675 V3: before 1.11 QGX318C
ThinkSystem SR850: before 6.20 TEI3F2H
ThinkSystem SR850 V2: before 2.85 TGBT44N
ThinkSystem SR850 V3: before 1.11 RSX306C
ThinkSystem SR850P: before 3.91 TEI3E2G
ThinkSystem SR860: before 6.20 TEI3F2H
ThinkSystem SR860 V2: before 2.85 TGBT44N
ThinkSystem SR860 V3: before 1.11 RSX306C
ThinkSystem SR950: before 2.90 PSI352F
ThinkSystem ST250: before 6.20 TEI3F2H
ThinkSystem ST250 V2: before 2.85 TGBT44N
ThinkSystem ST258: before 6.20 TEI3F2H
ThinkSystem ST258 V2: before 2.85 TGBT44N
ThinkSystem ST550: before 9.80 CDI3B2H
ThinkSystem ST650 V2: before 2.85 TGBT44N
ThinkSystem ST650 V3: before 2.17 USX330E
ThinkSystem ST658 V2: before 2.85 TGBT44N
ThinkSystem ST658 V3: before 2.17 USX330E
External linkshttp://support.lenovo.com/us/en/product_security/LEN-140960
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) SQL injection
EUVDB-ID: #VU80747
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4608
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within API in Lenovo XClarity Controller (XCC). A remote privileged user can send a specially crafted request to the affected API endpoint and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsThinkAgile HX5530 Appliance: before 2.85 TGBT44N
ThinkAgile HX7530 Appliance: before 2.85 TGBT44N
ThinkAgile VX3331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX1331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX2330 Appliance: before 2.85 TGBT44N
ThinkAgile HX2331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX3330 Appliance: before 2.85 TGBT44N
ThinkAgile HX3331 Certified Node: before 2.85 TGBT44N
ThinkAgile HX3331 Node SAP HANA: before 2.85 TGBT44N
ThinkAgile HX3375 Appliance: before 5.00 D8BT54M
ThinkAgile HX3376 Certified Node: before 5.00 D8BT54M
ThinkAgile HX5531 Certified Node: before 2.85 TGBT44N
ThinkAgile HX7530 Appl for SAP HANA: before 2.85 TGBT44N
ThinkAgile HX7531 Certified Node: before 2.85 TGBT44N
ThinkAgile HX7531 Node SAP HANA: before 2.85 TGBT44N
ThinkAgile MX3330-F All-flash Appliance: before 2.85 TGBT44N
ThinkAgile MX3330-H Hybrid Appliance: before 2.85 TGBT44N
ThinkAgile MX3331-F All-flash Certified node: before 2.85 TGBT44N
ThinkAgile MX3331-H Hybrid Certified node: before 2.85 TGBT44N
ThinkAgile MX3530 F All flash Appliance: before 2.85 TGBT44N
ThinkAgile MX3530-H Hybrid Appliance: before 2.85 TGBT44N
ThinkAgile MX3531 H Hybrid Certified node: before 2.85 TGBT44N
ThinkAgile MX3531-F All-flash Certified node: before 2.85 TGBT44N
ThinkAgile VX2330 Appliance: before 2.85 TGBT44N
ThinkAgile VX3330 Appliance: before 2.85 TGBT44N
ThinkAgile VX3530-G Appliance: before 2.85 TGBT44N
ThinkAgile VX5530 Appliance: before 2.85 TGBT44N
Thinkagile VX7330 Appliance: before 2.85 TGBT44N
ThinkAgile VX7530 Appliance: before 2.85 TGBT44N
ThinkAgile VX7531 Certified Node: before 2.85 TGBT44N
ThinkSystem SD630 V2: before 2.85 TGBT44N
ThinkSystem SD650 V2: before 2.85 TGBT44N
ThinkSystem SD650 V3: before 2.12 USX320Y
ThinkSystem SD650-N V2: before 2.85 TGBT44N
ThinkSystem SD665 V3: before 2.12 KAX318V
ThinkSystem SN550 V2: before 2.85 TGBT44N
ThinkSystem SR250 V2: before 2.85 TGBT44N
ThinkSystem SR258 V2: before 2.85 TGBT44N
ThinkSystem SR630 V2: before 2.85 TGBT44N
ThinkSystem SR630 V3: before 2.14 ESE114R
ThinkSystem SR635 V3: before 2.12 KAX318V
ThinkSystem SR645: before 5.00 D8BT54M
ThinkSystem SR645 V3: before 2.12 KAX318V
ThinkSystem SR650 V2: before 2.85 TGBT44N
ThinkSystem SR650 V3: before 2.14 ESE114R
ThinkSystem SR655 V3: before 2.12 KAX318V
ThinkSystem SR665: before 5.00 D8BT54M
ThinkSystem SR665 V3: before 2.12 KAX318V
ThinkSystem SR670 V2: before 2.85 TGBT44N
ThinkSystem SR675 V3: before 1.11 QGX318C
ThinkSystem SR850 V2: before 2.85 TGBT44N
ThinkSystem SR850 V3: before 1.11 RSX306C
ThinkSystem SR860 V2: before 2.85 TGBT44N
ThinkSystem SR860 V3: before 1.11 RSX306C
ThinkSystem ST250 V2: before 2.85 TGBT44N
ThinkSystem ST258 V2: before 2.85 TGBT44N
ThinkSystem ST650 V2: before 2.85 TGBT44N
ThinkSystem ST650 V3: before 2.17 USX330E
ThinkSystem ST658 V2: before 2.85 TGBT44N
ThinkSystem ST658 V3: before 2.17 USX330E
External linkshttp://support.lenovo.com/us/en/product_security/LEN-140960
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
