Lucene search

LenovoCVELIST:CVE-2023-29058

HistoryApr 28, 2023 - 8:47 p.m.

CVE-2023-29058

2023-04-2820:47:46

CWE-276

lenovo

www.cve.org

cve-2023-29058

authenticated user

xcc cli

custom roles

trespass message

ssh

read-only permissions

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H

EPSS

0.001

Percentile

17.5%

JSON

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "XClarity Controller",
    "vendor": "Lenovo",
    "versions": [
      {
        "status": "affected",
        "version": "Refer to Mitigation strategy section in LEN-118321"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-118321

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H

EPSS

0.001

Percentile

17.5%

JSON

Related for CVELIST:CVE-2023-29058