CVE-2023-2993

CWE-2813 documents3 sources

Severity

6.3MEDIUM

EPSS

0.1%

top 72.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Nextscale N1200 Enclosure Firmware Lenovo Thinkagile Cp-cb-10 Firmware Lenovo Thinkagile Cp-cb-10e Firmware +7 more

Timeline

PublishedJun 26

Description

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages10 packages

▶CVEListV5lenovo/system_management_module_(smm)various

▶NVDlenovo/thinkagile_cp-cb-10_firmware< tesm38c-1.26

▶NVDlenovo/thinkagile_cp-cb-10e_firmware< tesm38c-1.26

▶NVDlenovo/thinkagile_vx_enclosure_firmware< tesm38c-1.26

▶NVDlenovo/thinksystem_d2_enclosure_firmware< tesm38c-1.26

🔴Vulnerability Details

GHSA

GHSA-6fq2-7qrw-4c53: A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited numbe↗2023-06-26

▶

CVEList

CVE-2023-2993: A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited numbe↗2023-06-26

▶