CVE-2023-29056

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

5.9MEDIUM

EPSS

0.2%

top 57.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

110

Lenovo Thinkagile Hx1021 Firmware Lenovo Thinkagile Hx1320 Firmware Lenovo Thinkagile Hx1321 Firmware +107 more

Timeline

PublishedApr 28

Latest updateApr 29

Description

A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC. To be vulnerable, XCC must be configured to use an LDAP server for Authentication/Authorization and have the login permission attribute not defined.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages110 packages

▶NVDlenovo/thinkagile_vx_4u_firmware< 2.75_psi348s

▶NVDlenovo/thinkedge_se450__firmware< 1.60_usx324o

▶NVDlenovo/thinkagile_hx1021_firmware< 3.72_tei388s

▶NVDlenovo/thinkagile_hx1320_firmware< 8.88_cdi3a4a

▶NVDlenovo/thinkagile_hx1321_firmware< 8.88_cdi3a4a

🔴Vulnerability Details

GHSA

GHSA-9mfm-jpv6-46g5: A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC↗2023-04-29

▶

CVEList

CVE-2023-29056: A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC↗2023-04-28

▶