CVE-2023-29057

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

8.8HIGH

EPSS

0.2%

top 63.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

110

Lenovo Thinkagile Hx1021 Firmware Lenovo Thinkagile Hx1320 Firmware Lenovo Thinkagile Hx1321 Firmware +107 more

Timeline

PublishedApr 28

Latest updateJul 6

Description

A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:HExploitability: 2.1 | Impact: 5.2

Affected Packages110 packages

▶NVDlenovo/thinkagile_vx_4u_firmware< 2.75_psi348s

▶NVDlenovo/thinkedge_se450__firmware< 1.60_usx324o

▶NVDlenovo/thinkagile_hx1021_firmware< 3.72_tei388s

▶NVDlenovo/thinkagile_hx1320_firmware< 8.88_cdi3a4a

▶NVDlenovo/thinkagile_hx1321_firmware< 8.88_cdi3a4a

🔴Vulnerability Details

GHSA

GHSA-9gph-8xxh-c4w6: A valid XCC user's local account permissions overrides their active directory permissions under specific configurations↗2023-07-06

▶

CVEList

CVE-2023-29057: A valid XCC user's local account permissions overrides their active directory permissions under specific configurations↗2023-04-28

▶