#VU80747 SQL injection in Lenovo products - CVE-2023-4608
Published: September 13, 2023
Vulnerability identifier: #VU80747
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-4608
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ThinkAgile HX5530 Appliance
ThinkAgile HX7530 Appliance
ThinkAgile VX3331 Certified Node
ThinkAgile HX1331 Certified Node
ThinkAgile HX2330 Appliance
ThinkAgile HX2331 Certified Node
ThinkAgile HX3330 Appliance
ThinkAgile HX3331 Certified Node
ThinkAgile HX3331 Node SAP HANA
ThinkAgile HX3375 Appliance
ThinkAgile HX3376 Certified Node
ThinkAgile HX5531 Certified Node
ThinkAgile HX7530 Appl for SAP HANA
ThinkAgile HX7531 Certified Node
ThinkAgile HX7531 Node SAP HANA
ThinkAgile MX3330-F All-flash Appliance
ThinkAgile MX3330-H Hybrid Appliance
ThinkAgile MX3331-F All-flash Certified node
ThinkAgile MX3331-H Hybrid Certified node
ThinkAgile MX3530 F All flash Appliance
ThinkAgile MX3530-H Hybrid Appliance
ThinkAgile MX3531 H Hybrid Certified node
ThinkAgile MX3531-F All-flash Certified node
ThinkAgile VX2330 Appliance
ThinkAgile VX3330 Appliance
ThinkAgile VX3530-G Appliance
ThinkAgile VX5530 Appliance
Thinkagile VX7330 Appliance
ThinkAgile VX7530 Appliance
ThinkAgile VX7531 Certified Node
ThinkSystem SD630 V2
ThinkSystem SD650 V2
ThinkSystem SD650 V3
ThinkSystem SD650-N V2
ThinkSystem SD665 V3
ThinkSystem SN550 V2
ThinkSystem SR250 V2
ThinkSystem SR258 V2
ThinkSystem SR630 V2
ThinkSystem SR630 V3
ThinkSystem SR635 V3
ThinkSystem SR645
ThinkSystem SR645 V3
ThinkSystem SR650 V2
ThinkSystem SR650 V3
ThinkSystem SR655 V3
ThinkSystem SR665
ThinkSystem SR665 V3
ThinkSystem SR670 V2
ThinkSystem SR675 V3
ThinkSystem SR850 V2
ThinkSystem SR850 V3
ThinkSystem SR860 V2
ThinkSystem SR860 V3
ThinkSystem ST250 V2
ThinkSystem ST258 V2
ThinkSystem ST650 V2
ThinkSystem ST650 V3
ThinkSystem ST658 V2
ThinkSystem ST658 V3
ThinkAgile HX5530 Appliance
ThinkAgile HX7530 Appliance
ThinkAgile VX3331 Certified Node
ThinkAgile HX1331 Certified Node
ThinkAgile HX2330 Appliance
ThinkAgile HX2331 Certified Node
ThinkAgile HX3330 Appliance
ThinkAgile HX3331 Certified Node
ThinkAgile HX3331 Node SAP HANA
ThinkAgile HX3375 Appliance
ThinkAgile HX3376 Certified Node
ThinkAgile HX5531 Certified Node
ThinkAgile HX7530 Appl for SAP HANA
ThinkAgile HX7531 Certified Node
ThinkAgile HX7531 Node SAP HANA
ThinkAgile MX3330-F All-flash Appliance
ThinkAgile MX3330-H Hybrid Appliance
ThinkAgile MX3331-F All-flash Certified node
ThinkAgile MX3331-H Hybrid Certified node
ThinkAgile MX3530 F All flash Appliance
ThinkAgile MX3530-H Hybrid Appliance
ThinkAgile MX3531 H Hybrid Certified node
ThinkAgile MX3531-F All-flash Certified node
ThinkAgile VX2330 Appliance
ThinkAgile VX3330 Appliance
ThinkAgile VX3530-G Appliance
ThinkAgile VX5530 Appliance
Thinkagile VX7330 Appliance
ThinkAgile VX7530 Appliance
ThinkAgile VX7531 Certified Node
ThinkSystem SD630 V2
ThinkSystem SD650 V2
ThinkSystem SD650 V3
ThinkSystem SD650-N V2
ThinkSystem SD665 V3
ThinkSystem SN550 V2
ThinkSystem SR250 V2
ThinkSystem SR258 V2
ThinkSystem SR630 V2
ThinkSystem SR630 V3
ThinkSystem SR635 V3
ThinkSystem SR645
ThinkSystem SR645 V3
ThinkSystem SR650 V2
ThinkSystem SR650 V3
ThinkSystem SR655 V3
ThinkSystem SR665
ThinkSystem SR665 V3
ThinkSystem SR670 V2
ThinkSystem SR675 V3
ThinkSystem SR850 V2
ThinkSystem SR850 V3
ThinkSystem SR860 V2
ThinkSystem SR860 V3
ThinkSystem ST250 V2
ThinkSystem ST258 V2
ThinkSystem ST650 V2
ThinkSystem ST650 V3
ThinkSystem ST658 V2
ThinkSystem ST658 V3
Software vendor:
Lenovo
Lenovo
Description
The vulnerability allows a remote privileged user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within API in Lenovo XClarity Controller (XCC). A remote privileged user can send a specially crafted request to the affected API endpoint and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install updates from vendor's website.