Skip to main content

Xclarity Administrator CVE-2023-34420

HIGH
OS Command Injection (CWE-78)
2023-06-26 psirt@lenovo.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 26, 2023 - 20:15 nvd
HIGH 7.2

DescriptionNVD

A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API.

AnalysisAI

A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API. Affected products include: Lenovo Xclarity Administrator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2016-8233 CRITICAL
9.8 Mar 01

Log files generated by Lenovo XClarity Administrator (LXCA) versions earlier than 1.2.2 may contain user credentials in

CVE-2017-3770 HIGH
8.8 Sep 22

Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse

CVE-2018-9066 HIGH
8.8 Jul 30

In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstanc

CVE-2018-9064 HIGH
8.8 Jul 30

In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call

CVE-2023-34418 HIGH
8.1 Jun 26

A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to

CVE-2017-3745 HIGH
7.8 Jun 20

In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user

CVE-2023-3113 HIGH
7.5 Jun 26

An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) ser

CVE-2019-6179 HIGH
7.5 Sep 03

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to vers

CVE-2018-9065 HIGH
7.5 Jul 30

In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file

CVE-2016-8221 HIGH
7.0 Jan 12

Privilege Escalation in Lenovo XClarity Administrator earlier than 1.2.0, if LXCA is used to manage rack switches or cha

CVE-2017-3763 MEDIUM
6.7 Sep 22

An attacker who obtains access to the location where the LXCA file system is stored may be able to access credentials of

CVE-2024-45104 MEDIUM
6.5 Sep 13

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXC

Share

CVE-2023-34420 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy