CVE-2023-34330

Code injection via Dynamic Redfish Extension interface

CVSS 8.2 HIGHEPSS 0.5%CWE-94

In short

A flaw in AMI SPx's BMC allows attackers to inject and execute malicious code through the Dynamic Redfish Extension interface, potentially compromising the security of the entire system.

Technical detail

CWE-94 code injection vulnerability in AMI SPx BMC's Dynamic Redfish Extension interface permits unauthenticated or low-privileged users to inject arbitrary code that achieves remote execution. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the affected BMC and potentially the managed system.

Summary generated and translated by AI from the official description.

AMI SPx contains a vulnerability in the BMC where a user may inject code which could be executed via a Dynamic Redfish Extension interface. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity, and availability.

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

AMI · MegaRAC_SPx12 AMI · MegaRAC_SPx13

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023006.pdf https://security.netapp.com/advisory/ntap-20230814-0004/