CVE-2024-2659

CWE-78 — OS Command Injection CWE-994 documents4 sources

Severity

7.2HIGH

EPSS

0.4%

top 37.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Nextscale N1200 Enclosure Firmware Lenovo Thinkagile 2u4n Firmware Lenovo Thinkagile Cp-cb-10 Firmware +65 more

Timeline

PublishedApr 15

Latest updateJul 12

Description

A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages68 packages

▶NVDlenovo/thinksystem_da240_firmware< UMSM12I-1.1.3

▶NVDlenovo/thinksystem_dw612_firmware< UMSM12I-1.1.3

▶NVDlenovo/thinksystem_d2_enclosure_firmware< TESM40B-1.27

▶NVDlenovo/thinkagile_2u4n_firmware< tesm40b-1.27

▶NVDlenovo/thinkagile_vx_1u_firmware< tesm40b-1.27

🔴Vulnerability Details

GHSA

GHSA-6rqw-3wpr-8qcj: A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system↗2024-04-15

▶

CVEList

CVE-2024-2659: A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system↗2024-04-15

▶

📋Vendor Advisories

Red Hat

kernel: tty: add the option to have a tty reject a new ldisc↗2024-07-12

▶