Design/Logic Flaw

2023-06-2620:15:00

PRIOn knowledge base

www.prio-n.com

design/ logic flaw

limited privileges

web management server

api calls

smm v1

smm v2

fpc

unauthorized commands

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.5%

JSON

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.

CPENameOperatorVersion
nextscale_n1200_enclosure_firmwareeq< fhet60b-3.40
thinkagile_cp-cb-10_firmwareeq< tesm38c-1.26
thinkagile_cp-cb-10e_firmwareeq< tesm38c-1.26
thinkagile_hx_enclosure_certified_node_firmwareeq< tesm38c-1.26
thinkagile_vx_enclosure_firmwareeq< tesm38c-1.26
thinksystem_d2_enclosure_firmwareeq< tesm38c-1.26
thinksystem_da240_enclosure_firmwareeq< umsm10s-1.7
thinksystem_dw612_enclosure_firmwareeq< umsm10s-1.7

Name	Operator	Version
nextscale_n1200_enclosure_firmware	eq	< fhet60b-3.40
thinkagile_cp-cb-10_firmware	eq	< tesm38c-1.26
thinkagile_cp-cb-10e_firmware	eq	< tesm38c-1.26
thinkagile_hx_enclosure_certified_node_firmware	eq	< tesm38c-1.26
thinkagile_vx_enclosure_firmware	eq	< tesm38c-1.26
thinksystem_d2_enclosure_firmware	eq	< tesm38c-1.26
thinksystem_da240_enclosure_firmware	eq	< umsm10s-1.7
thinksystem_dw612_enclosure_firmware	eq	< umsm10s-1.7

References

support.lenovo.com/us/en/product_security/LEN-127357