SQL injection in Hardware solutions

#VU80747 SQL injection in Hardware solutions

Published: 2023-09-13

Vulnerability identifier: #VU80747

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4608

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ThinkAgile HX5530 Appliance
Hardware solutions / Firmware
ThinkAgile HX7530 Appliance
Hardware solutions / Firmware
ThinkAgile VX3331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX1331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX2330 Appliance
Hardware solutions / Firmware
ThinkAgile HX2331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX3330 Appliance
Hardware solutions / Firmware
ThinkAgile HX3331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX3331 Node SAP HANA
Hardware solutions / Firmware
ThinkAgile HX3375 Appliance
Hardware solutions / Firmware
ThinkAgile HX3376 Certified Node
Hardware solutions / Firmware
ThinkAgile HX5531 Certified Node
Hardware solutions / Firmware
ThinkAgile HX7530 Appl for SAP HANA
Hardware solutions / Firmware
ThinkAgile HX7531 Certified Node
Hardware solutions / Firmware
ThinkAgile HX7531 Node SAP HANA
Hardware solutions / Firmware
ThinkAgile MX3330-F All-flash Appliance
Hardware solutions / Firmware
ThinkAgile MX3330-H Hybrid Appliance
Hardware solutions / Firmware
ThinkAgile MX3331-F All-flash Certified node
Hardware solutions / Firmware
ThinkAgile MX3331-H Hybrid Certified node
Hardware solutions / Firmware
ThinkAgile MX3530 F All flash Appliance
Hardware solutions / Firmware
ThinkAgile MX3530-H Hybrid Appliance
Hardware solutions / Firmware
ThinkAgile MX3531 H Hybrid Certified node
Hardware solutions / Firmware
ThinkAgile MX3531-F All-flash Certified node
Hardware solutions / Firmware
ThinkAgile VX2330 Appliance
Hardware solutions / Firmware
ThinkAgile VX3330 Appliance
Hardware solutions / Firmware
ThinkAgile VX3530-G Appliance
Hardware solutions / Firmware
ThinkAgile VX5530 Appliance
Hardware solutions / Firmware
Thinkagile VX7330 Appliance
Hardware solutions / Firmware
ThinkAgile VX7530 Appliance
Hardware solutions / Firmware
ThinkAgile VX7531 Certified Node
Hardware solutions / Firmware
ThinkSystem SD630 V2
Hardware solutions / Firmware
ThinkSystem SD650 V2
Hardware solutions / Firmware
ThinkSystem SD650 V3
Hardware solutions / Firmware
ThinkSystem SD650-N V2
Hardware solutions / Firmware
ThinkSystem SD665 V3
Hardware solutions / Firmware
ThinkSystem SN550 V2
Hardware solutions / Firmware
ThinkSystem SR250 V2
Hardware solutions / Firmware
ThinkSystem SR258 V2
Hardware solutions / Firmware
ThinkSystem SR630 V2
Hardware solutions / Firmware
ThinkSystem SR630 V3
Hardware solutions / Firmware
ThinkSystem SR635 V3
Hardware solutions / Firmware
ThinkSystem SR645
Hardware solutions / Firmware
ThinkSystem SR645 V3
Hardware solutions / Firmware
ThinkSystem SR650 V2
Hardware solutions / Firmware
ThinkSystem SR650 V3
Hardware solutions / Firmware
ThinkSystem SR655 V3
Hardware solutions / Firmware
ThinkSystem SR665
Hardware solutions / Firmware
ThinkSystem SR665 V3
Hardware solutions / Firmware
ThinkSystem SR670 V2
Hardware solutions / Firmware
ThinkSystem SR675 V3
Hardware solutions / Firmware
ThinkSystem SR850 V2
Hardware solutions / Firmware
ThinkSystem SR850 V3
Hardware solutions / Firmware
ThinkSystem SR860 V2
Hardware solutions / Firmware
ThinkSystem SR860 V3
Hardware solutions / Firmware
ThinkSystem ST250 V2
Hardware solutions / Firmware
ThinkSystem ST258 V2
Hardware solutions / Firmware
ThinkSystem ST650 V2
Hardware solutions / Firmware
ThinkSystem ST650 V3
Hardware solutions / Firmware
ThinkSystem ST658 V2
Hardware solutions / Firmware
ThinkSystem ST658 V3
Hardware solutions / Firmware

Vendor:

Description

The vulnerability allows a remote privileged user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within API in Lenovo XClarity Controller (XCC). A remote privileged user can send a specially crafted request to the affected API endpoint and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://support.lenovo.com/us/en/product_security/LEN-140960

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Lenovo XClarity Controller (XCC)