Lucene search

LenovoCVELIST:CVE-2023-29057

HistoryApr 28, 2023 - 8:53 p.m.

CVE-2023-29057

2023-04-2820:53:13

CWE-276

lenovo

www.cve.org

xcc user

local account permissions

active directory

privilege escalation

ldap authentication

ldap authorization

local first

then ldap

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

29.0%

JSON

A valid XCC user’s local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "XClarity Controller",
    "vendor": "Lenovo",
    "versions": [
      {
        "status": "affected",
        "version": "Refer to Mitigation strategy section in LEN-118321"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-118321

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

29.0%

JSON

Related for CVELIST:CVE-2023-29057