CVE-2023-25495
Last modified
CVE-2023-25495 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured. EPSS estimates a 0.57% chance of exploitation in the next 30 days.
Description
A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lenovo | Thinkagile Hx5530 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx7530 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Vx3331 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx Enclosure Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Hx1021 Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Hx1320 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx1321 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx1331 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx1520-R Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx1521-R Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx2320-E Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx2321 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx2330 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx2330 Firmware | 2.93_afbt30p |
| Lenovo | Thinkagile Hx2331 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx2720-E Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Hx3320 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx3321 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx3330 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx3331 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx3331 Firmware | < 4.71_d8bt48p |
| Lenovo | Thinkagile Hx3375 Firmware | < 4.71_d8bt48p |
| Lenovo | Thinkagile Hx3376 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx3520-G Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx3521-G Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Hx3720 Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Hx3721 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx5520 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx5520-C Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx5521 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx5521-C Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx5531 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx7520 Firmware | < 8.88_cdi3a4a |
| Lenovo | Thinkagile Hx7521 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx7531 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Hx7531 Firmware | < 2.75_psi348s |
| Lenovo | Thinkagile Hx7820 Firmware | < 2.75_psi348s |
| Lenovo | Thinkagile Hx7821 Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Mx1020 Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3330-F Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3330-H Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3331-F Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3331-H Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3530 F Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3530-H Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3531 H Firmware | < 2.93_afbt30p |
| Lenovo | Thinkagile Mx3531-F Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Mx1021 On Se350 Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Vx 1se Firmware | < 3.72_tei388s |
| Lenovo | Thinkagile Vx 2u4n Firmware | < 3.72_tei388s |
Showing 50 of 112 affected configurations. See NVD for the full list.
References
- https://support.lenovo.com/us/en/product_security/LEN-99936Vendor Advisory
- https://support.lenovo.com/us/en/product_security/LEN-99936Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-25495?
How severe is CVE-2023-25495?
How do I fix CVE-2023-25495?
Are you affected by CVE-2023-25495?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST