Unauthenticated XML External Entity Injection in Lenovo's CIM Server
CVE-2023-3113

8.2HIGH

Key Information:

Vendor: Lenovo
Status: Lenovo Xclarity Administrator
Vendor: CVE Published:; 26 June 2023

Summary

An unauthenticated XML External Entity Injection vulnerability has been identified in Lenovo's Common Information Model (CIM) server. This issue allows attackers to exploit the server in order to gain read-only access to sensitive files, potentially exposing critical data. The vulnerability arises from improper validation of XML input, which could be manipulated to disclose confidential information. Managing this risk requires prompt patching and adherence to security best practices.

Affected Version(s)

Lenovo XClarity Administrator Versions prior to 4.0

References

https://support.lenovo.com/us/en/product_security/LEN-98715

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 26, 2023
Vulnerability Reserved
Jun 5, 2023