Vulnerability identifier: #VU80747
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-89
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ThinkAgile HX5530 Appliance
Hardware solutions /
Firmware
ThinkAgile HX7530 Appliance
Hardware solutions /
Firmware
ThinkAgile VX3331 Certified Node
Hardware solutions /
Firmware
ThinkAgile HX1331 Certified Node
Hardware solutions /
Firmware
ThinkAgile HX2330 Appliance
Hardware solutions /
Firmware
ThinkAgile HX2331 Certified Node
Hardware solutions /
Firmware
ThinkAgile HX3330 Appliance
Hardware solutions /
Firmware
ThinkAgile HX3331 Certified Node
Hardware solutions /
Firmware
ThinkAgile HX3331 Node SAP HANA
Hardware solutions /
Firmware
ThinkAgile HX3375 Appliance
Hardware solutions /
Firmware
ThinkAgile HX3376 Certified Node
Hardware solutions /
Firmware
ThinkAgile HX5531 Certified Node
Hardware solutions /
Firmware
ThinkAgile HX7530 Appl for SAP HANA
Hardware solutions /
Firmware
ThinkAgile HX7531 Certified Node
Hardware solutions /
Firmware
ThinkAgile HX7531 Node SAP HANA
Hardware solutions /
Firmware
ThinkAgile MX3330-F All-flash Appliance
Hardware solutions /
Firmware
ThinkAgile MX3330-H Hybrid Appliance
Hardware solutions /
Firmware
ThinkAgile MX3331-F All-flash Certified node
Hardware solutions /
Firmware
ThinkAgile MX3331-H Hybrid Certified node
Hardware solutions /
Firmware
ThinkAgile MX3530 F All flash Appliance
Hardware solutions /
Firmware
ThinkAgile MX3530-H Hybrid Appliance
Hardware solutions /
Firmware
ThinkAgile MX3531 H Hybrid Certified node
Hardware solutions /
Firmware
ThinkAgile MX3531-F All-flash Certified node
Hardware solutions /
Firmware
ThinkAgile VX2330 Appliance
Hardware solutions /
Firmware
ThinkAgile VX3330 Appliance
Hardware solutions /
Firmware
ThinkAgile VX3530-G Appliance
Hardware solutions /
Firmware
ThinkAgile VX5530 Appliance
Hardware solutions /
Firmware
Thinkagile VX7330 Appliance
Hardware solutions /
Firmware
ThinkAgile VX7530 Appliance
Hardware solutions /
Firmware
ThinkAgile VX7531 Certified Node
Hardware solutions /
Firmware
ThinkSystem SD630 V2
Hardware solutions /
Firmware
ThinkSystem SD650 V2
Hardware solutions /
Firmware
ThinkSystem SD650 V3
Hardware solutions /
Firmware
ThinkSystem SD650-N V2
Hardware solutions /
Firmware
ThinkSystem SD665 V3
Hardware solutions /
Firmware
ThinkSystem SN550 V2
Hardware solutions /
Firmware
ThinkSystem SR250 V2
Hardware solutions /
Firmware
ThinkSystem SR258 V2
Hardware solutions /
Firmware
ThinkSystem SR630 V2
Hardware solutions /
Firmware
ThinkSystem SR630 V3
Hardware solutions /
Firmware
ThinkSystem SR635 V3
Hardware solutions /
Firmware
ThinkSystem SR645
Hardware solutions /
Firmware
ThinkSystem SR645 V3
Hardware solutions /
Firmware
ThinkSystem SR650 V2
Hardware solutions /
Firmware
ThinkSystem SR650 V3
Hardware solutions /
Firmware
ThinkSystem SR655 V3
Hardware solutions /
Firmware
ThinkSystem SR665
Hardware solutions /
Firmware
ThinkSystem SR665 V3
Hardware solutions /
Firmware
ThinkSystem SR670 V2
Hardware solutions /
Firmware
ThinkSystem SR675 V3
Hardware solutions /
Firmware
ThinkSystem SR850 V2
Hardware solutions /
Firmware
ThinkSystem SR850 V3
Hardware solutions /
Firmware
ThinkSystem SR860 V2
Hardware solutions /
Firmware
ThinkSystem SR860 V3
Hardware solutions /
Firmware
ThinkSystem ST250 V2
Hardware solutions /
Firmware
ThinkSystem ST258 V2
Hardware solutions /
Firmware
ThinkSystem ST650 V2
Hardware solutions /
Firmware
ThinkSystem ST650 V3
Hardware solutions /
Firmware
ThinkSystem ST658 V2
Hardware solutions /
Firmware
ThinkSystem ST658 V3
Hardware solutions /
Firmware
Vendor:
Description
The vulnerability allows a remote privileged user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within API in Lenovo XClarity Controller (XCC). A remote privileged user can send a specially crafted request to the affected API endpoint and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
External links
http://support.lenovo.com/us/en/product_security/LEN-140960
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.