Arbitrary Command Injection in AMI BMC via SPX REST API
CVE-2023-34334

8.8HIGH

Key Information:

Vendor: AMI
Status: MegaRAC_SPx
Vendor: CVE Published:; 12 June 2023

What is CVE-2023-34334?

AMI BMC features a vulnerability in its SPX REST API that enables an attacker with valid privileges to inject arbitrary shell commands. This flaw may lead to severe consequences, including unauthorized code execution, denial of service, potential information disclosure, and data tampering. Proper mitigation techniques should be implemented to safeguard against potential exploits.

Affected Version(s)

MegaRAC_SPx ARM 12.0 < 12.7

MegaRAC_SPx ARM 13.0 < 13.5

References

https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 12, 2023
Vulnerability Reserved
Jun 1, 2023

Credit

NVIDIA Offensive Security Research (OSR) team