CVE-2023-25495

CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

4.9MEDIUM

EPSS

0.1%

top 65.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

110

Lenovo Thinkagile Hx1021 Firmware Lenovo Thinkagile Hx1320 Firmware Lenovo Thinkagile Hx1321 Firmware +107 more

Timeline

PublishedApr 28

Latest updateApr 29

Description

A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages110 packages

▶NVDlenovo/thinkagile_vx_4u_firmware< 2.75_psi348s

▶NVDlenovo/thinkedge_se450__firmware< 1.60_usx324o

▶NVDlenovo/thinkagile_hx1021_firmware< 3.72_tei388s

▶NVDlenovo/thinkagile_hx1320_firmware< 8.88_cdi3a4a

▶NVDlenovo/thinkagile_hx1321_firmware< 8.88_cdi3a4a

🔴Vulnerability Details

GHSA

GHSA-66qf-8j2h-9xmq: A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to↗2023-04-29

▶

CVEList

CVE-2023-25495: A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to↗2023-04-28

▶