Strix
26.1K

CVE-2023-4606

HIGHCVSS 8.1/10EPSS 0.46%

Last modified

CVE-2023-4606 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.   This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.. EPSS estimates a 0.46% chance of exploitation in the next 30 days.

Description

An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.   This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

Metrics

CVSS 3.1
8.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Probability
0.46%

36.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LenovoThinkagile Hx5530 FirmwareAll versions
LenovoThinkagile Hx7530 FirmwareAll versions
LenovoThinkagile Vx3331 FirmwareAll versions
LenovoThinkagile Hx1331 FirmwareAll versions
LenovoThinkagile Hx2330 FirmwareAll versions
LenovoThinkagile Hx2331 FirmwareAll versions
LenovoThinkagile Hx3330 FirmwareAll versions
LenovoThinkagile Hx3331 FirmwareAll versions
LenovoThinkagile Hx3375 FirmwareAll versions
LenovoThinkagile Hx3376 FirmwareAll versions
LenovoThinkagile Hx5531 FirmwareAll versions
LenovoThinkagile Hx7531 FirmwareAll versions
LenovoThinkagile Mx3330-F All-Flash FirmwareAll versions
LenovoThinkagile Mx3330-H Hybrid FirmwareAll versions
LenovoThinkagile Mx3331-F All-Flash FirmwareAll versions
LenovoThinkagile Mx3331-H Hybrid FirmwareAll versions
LenovoThinkagile Mx3530 F All Flash FirmwareAll versions
LenovoThinkagile Mx3530-H Hybrid FirmwareAll versions
LenovoThinkagile Mx3531 H Hybrid FirmwareAll versions
LenovoThinkagile Mx3531-F All-Flash FirmwareAll versions
LenovoThinkagile Vx2330 FirmwareAll versions
LenovoThinkagile Vx3330 FirmwareAll versions
LenovoThinkagile Vx3530-G FirmwareAll versions
LenovoThinkagile Vx5530 FirmwareAll versions
LenovoThinkagile Vx7330 FirmwareAll versions
LenovoThinkagile Vx7530 FirmwareAll versions
LenovoThinkagile Vx7531 FirmwareAll versions
LenovoThinksystem Sd630 V2 FirmwareAll versions
LenovoThinksystem Sd650 V2 FirmwareAll versions
LenovoThinksystem Sd650 V3 FirmwareAll versions
LenovoThinksystem Sd650-N V2 FirmwareAll versions
LenovoThinksystem Sd665 V3 FirmwareAll versions
LenovoThinksystem Sn550 V2 FirmwareAll versions
LenovoThinksystem Sr250 FirmwareAll versions
LenovoThinksystem Sr258 V2 FirmwareAll versions
LenovoThinksystem Sr630 V2 FirmwareAll versions
LenovoThinksystem Sr630 V3 FirmwareAll versions
LenovoThinksystem Sr635 V3 FirmwareAll versions
LenovoThinksystem Sr645 FirmwareAll versions
LenovoThinksystem Sr645 V3 FirmwareAll versions
LenovoThinksystem Sr650 V2 FirmwareAll versions
LenovoThinksystem Sr650 V3 FirmwareAll versions
LenovoThinksystem Sr655 V3 FirmwareAll versions
LenovoThinksystem Sr665 FirmwareAll versions
LenovoThinksystem Sr665 V3 FirmwareAll versions
LenovoThinksystem Sr670 FirmwareAll versions
LenovoThinksystem Sr670 V2 FirmwareAll versions
LenovoThinksystem Sr675 V3 FirmwareAll versions
LenovoThinksystem Sr850 V2 FirmwareAll versions
LenovoThinksystem Sr850 V3 FirmwareAll versions

Showing 50 of 58 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-4606?
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.   This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
How severe is CVE-2023-4606?
CVE-2023-4606 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 0.46% probability of exploitation in the next 30 days.
How do I fix CVE-2023-4606?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-4606?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST