Lucene search

LenovoCVELIST:CVE-2023-2993

HistoryJun 26, 2023 - 7:44 p.m.

CVE-2023-2993

2023-06-2619:44:50

CWE-281

lenovo

www.cve.org

cve-2023-2993

authenticated user

web management server

api calls

smm v1

smm v2

fpc

limited privileges

unauthorized commands

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

17.5%

JSON

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "System Management Module (SMM) ",
    "vendor": "Lenovo",
    "versions": [
      {
        "status": "affected",
        "version": "various"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Fan Power Controller (FPC)",
    "vendor": "Lenovo",
    "versions": [
      {
        "status": "affected",
        "version": "various"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-127357

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

17.5%

JSON

Related for CVELIST:CVE-2023-2993