Command Injection Vulnerability in NEC CLUSTERPRO X and EXPRESSCLUSTER X Products
CVE-2023-39547

8.8HIGH

Key Information:

Vendor: Nec Corporation
Status: Clusterpro X (expresscluster X); Clusterpro X Singleserversafe (expresscluster X Singleserversafe)
Vendor: CVE Published:; 17 November 2023

🔔 Create Nec Corporation Vulnerability Alert

What is CVE-2023-39547?

NEC's CLUSTERPRO X and EXPRESSCLUSTER X products, specifically versions 5.1 and prior, contain a command injection vulnerability that allows authenticated attackers to execute arbitrary commands. This flaw could potentially compromise the integrity of the system, leading to unauthorized actions that can disrupt service and affect the confidentiality of sensitive information.

Affected Version(s)

CLUSTERPRO X (EXPRESSCLUSTER X) 1.0, 2.0 2.1, 3.0, 3.1, 3.2, 4.0, 4.1, 4.2, 5.0 and 5.1

CLUSTERPRO X SingleServerSafe (EXPRESSCLUSTER X SingleServerSafe) 1.0, 2.0 2.1, 3.0, 3.1, 3.2, 4.0, 4.1, 4.2, 5.0 and 5.1

References

https://jpn.nec.com/security-info/secinfo/nv23-009_en.html

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 17, 2023
Vulnerability Reserved
Aug 4, 2023

Credit

Mr. David Levard in Videotron.