CWE
522
Advisory Published
Updated

CVE-2023-25495

First published: Fri Apr 28 2023(Updated: )

A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured

Credit: psirt@lenovo.com

Affected SoftwareAffected VersionHow to fix
<2.93_afbt30p
<2.93_afbt30p
<2.93_afbt30p
<3.72_tei388s
<3.72_tei388s
<8.88_cdi3a4a
Lenovo Thinkagile Hx1320
<8.88_cdi3a4a
Lenovo Thinkagile Hx1321
<2.93_afbt30p
<8.88_cdi3a4a
Lenovo Thinkagile Hx1520-r
<8.88_cdi3a4a
Lenovo Thinkagile Hx1521-r
<8.88_cdi3a4a
Lenovo Thinkagile Hx2320-e
<8.88_cdi3a4a
Lenovo Thinkagile Hx2321
<2.93_afbt30p
=2.93_afbt30p
<2.93_afbt30p
<3.72_tei388s
<8.88_cdi3a4a
Lenovo Thinkagile Hx3320
<8.88_cdi3a4a
Lenovo Thinkagile Hx3321
<2.93_afbt30p
<2.93_afbt30p
<4.71_d8bt48p
<4.71_d8bt48p
Lenovo Thinkagile Hx3375
<8.88_cdi3a4a
Lenovo Thinkagile Hx3376
<8.88_cdi3a4a
Lenovo Thinkagile Hx3520-g
<3.72_tei388s
Lenovo Thinkagile Hx3521-g
<3.72_tei388s
Lenovo Thinkagile Hx3720
<8.88_cdi3a4a
<8.88_cdi3a4a
Lenovo Thinkagile Hx5520
<8.88_cdi3a4a
Lenovo Thinkagile Hx5520-c
<8.88_cdi3a4a
Lenovo Thinkagile Hx5521
<2.93_afbt30p
Lenovo Thinkagile Hx5521-c
<8.88_cdi3a4a
<8.88_cdi3a4a
Lenovo Thinkagile Hx7520
<2.93_afbt30p
Lenovo Thinkagile Hx7521
<2.93_afbt30p
<2.75_psi348s
<2.75_psi348s
Lenovo Thinkagile Hx7820
<3.72_tei388s
Lenovo Thinkagile Hx7821
<2.93_afbt30p
Lenovo Thinkagile Mx1020
<2.93_afbt30p
<2.93_afbt30p
<2.93_afbt30p
<2.93_afbt30p
<2.93_afbt30p
<2.93_afbt30p
<2.93_afbt30p
<3.72_tei388s
<3.72_tei388s
<3.72_tei388s
<3.72_tei388s
<2.75_psi348s
<3.72_tei388s
<8.88_cdi3a4a
Lenovo Thinkagile Vx2320
<2.93_afbt30p
<8.88_cdi3a4a
Lenovo Thinkagile Vx3320
<2.93_afbt30p
<8.88_cdi3a4a
Lenovo Thinkagile Vx3520-g
<2.93_afbt30p
<3.72_tei388s
<8.88_cdi3a4a
Lenovo Thinkagile Vx5520
<2.93_afbt30p
<8.88_cdi3a4a
Lenovo Thinkagile Vx7320 N
<2.93_afbt30p
<8.88_cdi3a4a
Lenovo Thinkagile Vx7520
<8.88_cdi3a4a
Lenovo Thinkagile Vx7520 N
<2.93_afbt30p
<2.93_afbt30p
<2.75_psi348s
<1.60_usx324o
Lenovo Thinkstation P920 Firmware<8.88_cdi3a4a
Lenovo Thinkstation P920
<3.72_tei388s
Lenovo Thinksystem Sd530
<2.60_tgbt42h
<3.72_tei388s
Lenovo Thinksystem Sd650
<2.60_tgbt42h
<2.60_tgbt42h
<3.72_tei388s
Lenovo Thinksystem Se350
<3.72_tei388s
Lenovo Thinksystem Sn550
<2.60_tgbt42h
<3.72_tei388s
Lenovo Thinksystem Sn850
<3.72_tei388s
Lenovo Thinksystem Sr150
<3.72_tei388s
Lenovo Thinksystem Sr158
<3.72_tei388s
Lenovo Thinksystem Sr250
<2.60_tgbt42h
<3.72_tei388s
Lenovo Thinksystem Sr258
<2.60_tgbt42h
<8.88_cdi3a4a
Lenovo Thinksystem Sr530
<8.88_cdi3a4a
Lenovo Thinksystem Sr550
<8.88_cdi3a4a
Lenovo Thinksystem Sr570
<8.88_cdi3a4a
Lenovo Thinksystem Sr590
Lenovo Thinksystem Sr630 Firmware<8.88_cdi3a4a
Lenovo Thinksystem Sr630
<2.93_afbt30p
<4.71_d8bt48p
Lenovo Thinksystem Sr645
<4.71_d8bt48p
<8.88_cdi3a4a
Lenovo Thinksystem Sr650
<2.93_afbt30p
<4.71_d8bt48p
Lenovo Thinksystem Sr665
<4.71_d8bt48p
<3.72_tei388s
Lenovo Thinksystem Sr670
<2.60_tgbt42h
<3.72_tei388s
Lenovo Thinksystem Sr850
<2.60_tgbt42h
<3.72_tei388s
Lenovo Thinksystem Sr850p
<3.72_tei388s
Lenovo Thinksystem Sr860
<2.60_tgbt42h
<2.75_psi348s
Lenovo Thinksystem Sr950
<3.72_tei388s
Lenovo Thinksystem St250
<2.60_tgbt42h
<3.72_tei388s
Lenovo Thinksystem St258
<2.60_tgbt42h
<8.88_cdi3a4a
Lenovo Thinksystem St550
<2.60_tgbt42h
<2.60_tgbt42h

Remedy

Customers should update to the version (or later) of Lenovo XClarity Controller (XCC) identified in the related Lenovo Product Security Advisory: https://support.lenovo.com/us/en/product_security/LEN-99936 https://support.lenovo.com/us/en/product_security/LEN-99936

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203