Strix
26.1K

CVE-2023-29058

MEDIUMCVSS 6.5/10EPSS 0.36%

Last modified

CVE-2023-29058 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.. EPSS estimates a 0.36% chance of exploitation in the next 30 days.

Description

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Probability
0.36%

27.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LenovoThinkagile Hx5530 Firmware< 2.93_afbt30p
LenovoThinkagile Hx7530 Firmware< 2.93_afbt30p
LenovoThinkagile Vx3331 Firmware< 2.93_afbt30p
LenovoThinkagile Hx Enclosure Firmware< 3.72_tei388s
LenovoThinkagile Hx1021 Firmware< 3.72_tei388s
LenovoThinkagile Hx1320 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx1321 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx1331 Firmware< 2.93_afbt30p
LenovoThinkagile Hx1520-R Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx1521-R Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx2320-E Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx2321 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx2330 Firmware< 2.93_afbt30p
LenovoThinkagile Hx2330 Firmware2.93_afbt30p
LenovoThinkagile Hx2331 Firmware< 2.93_afbt30p
LenovoThinkagile Hx2720-E Firmware< 3.72_tei388s
LenovoThinkagile Hx3320 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx3321 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx3330 Firmware< 2.93_afbt30p
LenovoThinkagile Hx3331 Firmware< 2.93_afbt30p
LenovoThinkagile Hx3331 Firmware< 4.71_d8bt48p
LenovoThinkagile Hx3375 Firmware< 4.71_d8bt48p
LenovoThinkagile Hx3376 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx3520-G Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx3521-G Firmware< 3.72_tei388s
LenovoThinkagile Hx3720 Firmware< 3.72_tei388s
LenovoThinkagile Hx3721 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx5520 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx5520-C Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx5521 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx5521-C Firmware< 2.93_afbt30p
LenovoThinkagile Hx5531 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx7520 Firmware< 8.88_cdi3a4a
LenovoThinkagile Hx7521 Firmware< 2.93_afbt30p
LenovoThinkagile Hx7531 Firmware< 2.93_afbt30p
LenovoThinkagile Hx7531 Firmware< 2.75_psi348s
LenovoThinkagile Hx7820 Firmware< 2.75_psi348s
LenovoThinkagile Hx7821 Firmware< 3.72_tei388s
LenovoThinkagile Mx1020 Firmware< 2.93_afbt30p
LenovoThinkagile Mx3330-F Firmware< 2.93_afbt30p
LenovoThinkagile Mx3330-H Firmware< 2.93_afbt30p
LenovoThinkagile Mx3331-F Firmware< 2.93_afbt30p
LenovoThinkagile Mx3331-H Firmware< 2.93_afbt30p
LenovoThinkagile Mx3530 F Firmware< 2.93_afbt30p
LenovoThinkagile Mx3530-H Firmware< 2.93_afbt30p
LenovoThinkagile Mx3531 H Firmware< 2.93_afbt30p
LenovoThinkagile Mx3531-F Firmware< 3.72_tei388s
LenovoThinkagile Mx1021 On Se350 Firmware< 3.72_tei388s
LenovoThinkagile Vx 1se Firmware< 3.72_tei388s
LenovoThinkagile Vx 2u4n Firmware< 3.72_tei388s

Showing 50 of 112 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-29058?
A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.
How severe is CVE-2023-29058?
CVE-2023-29058 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.36% probability of exploitation in the next 30 days.
How do I fix CVE-2023-29058?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-29058?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST