CVE-2023-4608 - Vulnerability Details

An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command.

This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00095.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Lenovo

Lenovo XClarity Controller (XCC)

unaffected

Version	Status	Constraints
`various`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx5530_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx5530:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx7530_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx7530:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx3331_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx3331:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx1331_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx1331:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx2330_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx2330:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx2331_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx2331:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx3330_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx3330:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx3331_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx3331:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx3331_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx3331:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx3375_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx3375:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx3376_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx3376:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx5531_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx5531:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx7530_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx7530:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx7531_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx7531:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:lenovo:thinkagile_hx7531_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_hx7531:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3330-f_all-flash_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3330-f_all-flash:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3330-h_hybrid_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3330-h_hybrid:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3331-f_all-flash_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3331-f_all-flash:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3331-h_hybrid_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3331-h_hybrid:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3530_f_all_flash_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3530_f_all_flash:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3530-h_hybrid_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3530-h_hybrid:-:*:*:*:*:*:*:*

Configuration 22 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3531_h_hybrid_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3531_h_hybrid:-:*:*:*:*:*:*:*

Configuration 23 [-]

AND

cpe:2.3:o:lenovo:thinkagile_mx3531-f_all-flash_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_mx3531-f_all-flash:-:*:*:*:*:*:*:*

Configuration 24 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx2330_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx2330:-:*:*:*:*:*:*:*

Configuration 25 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx3330_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx3330:-:*:*:*:*:*:*:*

Configuration 26 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx3530-g_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx3530-g:-:*:*:*:*:*:*:*

Configuration 27 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx5530_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx5530:-:*:*:*:*:*:*:*

Configuration 28 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx7330_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx7330:-:*:*:*:*:*:*:*

Configuration 29 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx7530_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx7530:-:*:*:*:*:*:*:*

Configuration 30 [-]

AND

cpe:2.3:o:lenovo:thinkagile_vx7531_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinkagile_vx7531:-:*:*:*:*:*:*:*

Configuration 31 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sd630_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sd630_v2:-:*:*:*:*:*:*:*

Configuration 32 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sd650_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sd650_v2:-:*:*:*:*:*:*:*

Configuration 33 [-]

cpe:2.3:o:lenovo:thinksystem_sd650_v3_firmware:-:*:*:*:*:*:*:*

Configuration 34 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sd650-n_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sd650-n_v2:-:*:*:*:*:*:*:*

Configuration 35 [-]

cpe:2.3:o:lenovo:thinksystem_sd665_v3_firmware:-:*:*:*:*:*:*:*

Configuration 36 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sn550_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sn550_v2:-:*:*:*:*:*:*:*

Configuration 37 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr250_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr250_v2:-:*:*:*:*:*:*:*

Configuration 38 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr258_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr258_v2:-:*:*:*:*:*:*:*

Configuration 39 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr630_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr630_v2:-:*:*:*:*:*:*:*

Configuration 40 [-]

cpe:2.3:o:lenovo:thinksystem_sr630_v3_firmware:-:*:*:*:*:*:*:*

Configuration 41 [-]

cpe:2.3:o:lenovo:thinksystem_sr635_v3_firmware:-:*:*:*:*:*:*:*

Configuration 42 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr645_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr645:-:*:*:*:*:*:*:*

Configuration 43 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr645_v3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr645_v3:-:*:*:*:*:*:*:*

Configuration 44 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr650_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr650_v2:-:*:*:*:*:*:*:*

Configuration 45 [-]

cpe:2.3:o:lenovo:thinksystem_sr650_v3_firmware:-:*:*:*:*:*:*:*

Configuration 46 [-]

cpe:2.3:o:lenovo:thinksystem_sr655_v3_firmware:-:*:*:*:*:*:*:*

Configuration 47 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr665_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr665:-:*:*:*:*:*:*:*

Configuration 48 [-]

cpe:2.3:o:lenovo:thinksystem_sr665_v3_firmware:-:*:*:*:*:*:*:*

Configuration 49 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr670_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr670:-:*:*:*:*:*:*:*

Configuration 50 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr670_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr670_v2:-:*:*:*:*:*:*:*

Configuration 51 [-]

cpe:2.3:o:lenovo:thinksystem_sr675_v3_firmware:-:*:*:*:*:*:*:*

Configuration 52 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr850_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr850_v2:-:*:*:*:*:*:*:*

Configuration 53 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr850_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr850_v2:-:*:*:*:*:*:*:*

Configuration 54 [-]

cpe:2.3:o:lenovo:thinksystem_sr850_v3_firmware:-:*:*:*:*:*:*:*

Configuration 55 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr860_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr860_v2:-:*:*:*:*:*:*:*

Configuration 56 [-]

AND

cpe:2.3:o:lenovo:thinksystem_sr860_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_sr860_v2:-:*:*:*:*:*:*:*

Configuration 57 [-]

cpe:2.3:o:lenovo:thinksystem_sr860_v3_firmware:-:*:*:*:*:*:*:*

Configuration 58 [-]

AND

cpe:2.3:o:lenovo:thinksystem_st250_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_st250_v2:-:*:*:*:*:*:*:*

Configuration 59 [-]

AND

cpe:2.3:o:lenovo:thinksystem_st258_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_st258_v2:-:*:*:*:*:*:*:*

Configuration 60 [-]

AND

cpe:2.3:o:lenovo:thinksystem_st650_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_st650_v2:-:*:*:*:*:*:*:*

Configuration 61 [-]

cpe:2.3:o:lenovo:thinksystem_st650_v3_firmware:-:*:*:*:*:*:*:*

Configuration 62 [-]

AND

cpe:2.3:o:lenovo:thinksystem_st658_v2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:thinksystem_st658_v2:-:*:*:*:*:*:*:*

Configuration 63 [-]

cpe:2.3:o:lenovo:thinksystem_st658_v3_firmware:-:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Lenovo Subscribe	Thinkagile Hx1331 Subscribe Thinkagile Hx1331 Firmware Subscribe Thinkagile Hx2330 Subscribe Thinkagile Hx2330 Firmware Subscribe Thinkagile Hx2331 Subscribe Thinkagile Hx2331 Firmware Subscribe Thinkagile Hx3330 Subscribe Thinkagile Hx3330 Firmware Subscribe Thinkagile Hx3331 Subscribe Thinkagile Hx3331 Firmware Subscribe Thinkagile Hx3375 Subscribe Thinkagile Hx3375 Firmware Subscribe Thinkagile Hx3376 Subscribe Thinkagile Hx3376 Firmware Subscribe Thinkagile Hx5530 Subscribe Thinkagile Hx5530 Firmware Subscribe Thinkagile Hx5531 Subscribe Thinkagile Hx5531 Firmware Subscribe Thinkagile Hx7530 Subscribe Thinkagile Hx7530 Firmware Subscribe Thinkagile Hx7531 Subscribe Thinkagile Hx7531 Firmware Subscribe Thinkagile Mx3330-f All-flash Subscribe Thinkagile Mx3330-f All-flash Firmware Subscribe Thinkagile Mx3330-h Hybrid Subscribe Thinkagile Mx3330-h Hybrid Firmware Subscribe Thinkagile Mx3331-f All-flash Subscribe Thinkagile Mx3331-f All-flash Firmware Subscribe Thinkagile Mx3331-h Hybrid Subscribe Thinkagile Mx3331-h Hybrid Firmware Subscribe Thinkagile Mx3530-h Hybrid Subscribe Thinkagile Mx3530-h Hybrid Firmware Subscribe Thinkagile Mx3530 F All Flash Subscribe Thinkagile Mx3530 F All Flash Firmware Subscribe Thinkagile Mx3531-f All-flash Subscribe Thinkagile Mx3531-f All-flash Firmware Subscribe Thinkagile Mx3531 H Hybrid Subscribe Thinkagile Mx3531 H Hybrid Firmware Subscribe Thinkagile Vx2330 Subscribe Thinkagile Vx2330 Firmware Subscribe Thinkagile Vx3330 Subscribe Thinkagile Vx3330 Firmware Subscribe Thinkagile Vx3331 Subscribe Thinkagile Vx3331 Firmware Subscribe Thinkagile Vx3530-g Subscribe Thinkagile Vx3530-g Firmware Subscribe Thinkagile Vx5530 Subscribe Thinkagile Vx5530 Firmware Subscribe Thinkagile Vx7330 Subscribe Thinkagile Vx7330 Firmware Subscribe Thinkagile Vx7530 Subscribe Thinkagile Vx7530 Firmware Subscribe Thinkagile Vx7531 Subscribe Thinkagile Vx7531 Firmware Subscribe Thinksystem Sd630 V2 Subscribe Thinksystem Sd630 V2 Firmware Subscribe Thinksystem Sd650-n V2 Subscribe Thinksystem Sd650-n V2 Firmware Subscribe Thinksystem Sd650 V2 Subscribe Thinksystem Sd650 V2 Firmware Subscribe Thinksystem Sd650 V3 Firmware Subscribe Thinksystem Sd665 V3 Firmware Subscribe Thinksystem Sn550 V2 Subscribe Thinksystem Sn550 V2 Firmware Subscribe Thinksystem Sr250 Firmware Subscribe Thinksystem Sr250 V2 Subscribe Thinksystem Sr258 V2 Subscribe Thinksystem Sr258 V2 Firmware Subscribe Thinksystem Sr630 V2 Subscribe Thinksystem Sr630 V2 Firmware Subscribe Thinksystem Sr630 V3 Firmware Subscribe Thinksystem Sr635 V3 Firmware Subscribe Thinksystem Sr645 Subscribe Thinksystem Sr645 Firmware Subscribe Thinksystem Sr645 V3 Subscribe Thinksystem Sr645 V3 Firmware Subscribe Thinksystem Sr650 V2 Subscribe Thinksystem Sr650 V2 Firmware Subscribe Thinksystem Sr650 V3 Firmware Subscribe Thinksystem Sr655 V3 Firmware Subscribe Thinksystem Sr665 Subscribe Thinksystem Sr665 Firmware Subscribe Thinksystem Sr665 V3 Firmware Subscribe Thinksystem Sr670 Subscribe Thinksystem Sr670 Firmware Subscribe Thinksystem Sr670 V2 Subscribe Thinksystem Sr670 V2 Firmware Subscribe Thinksystem Sr675 V3 Firmware Subscribe Thinksystem Sr850 V2 Subscribe Thinksystem Sr850 V2 Firmware Subscribe Thinksystem Sr850 V3 Firmware Subscribe Thinksystem Sr860 V2 Subscribe Thinksystem Sr860 V2 Firmware Subscribe Thinksystem Sr860 V3 Firmware Subscribe Thinksystem St250 V2 Subscribe Thinksystem St250 V2 Firmware Subscribe Thinksystem St258 V2 Subscribe Thinksystem St258 V2 Firmware Subscribe Thinksystem St650 V2 Subscribe Thinksystem St650 V2 Firmware Subscribe Thinksystem St650 V3 Firmware Subscribe Thinksystem St658 V2 Subscribe Thinksystem St658 V2 Firmware Subscribe Thinksystem St658 V3 Firmware Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2023-54461	An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

Fixes

Solution

Upgrade to the product version (or newer) indicated for your model in the advisory: https://support.lenovo.com/us/en/product_security/LEN-140960

Workaround

No workaround given by the vendor.

References

Link	Providers
https://support.lenovo.com/us/en/product_security/LEN-140960

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2023-10-24T20:25:49.416Z

Updated: 2024-09-11T20:38:29.704Z

Reserved: 2023-08-29T15:54:56.119Z

Link: CVE-2023-4608

Vulnrichment

Updated: 2024-08-02T07:31:06.539Z

NVD

Status : Modified

Published: 2023-10-25T18:17:41.670

Modified: 2024-11-21T08:35:32.260

Link: CVE-2023-4608

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object