Strix
26.1K

CVE-2023-4607

HIGHCVSS 8.8/10EPSS 0.43%

Last modified

CVE-2023-4607 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. An authenticated XCC user can change permissions for any user through a crafted API command.. EPSS estimates a 0.43% chance of exploitation in the next 30 days.

Description

An authenticated XCC user can change permissions for any user through a crafted API command.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.43%

34.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LenovoThinkagile Hx5530 FirmwareAll versions
LenovoThinkagile Hx7530 FirmwareAll versions
LenovoThinkagile Vx3331 FirmwareAll versions
LenovoThinkagile Hx1331 FirmwareAll versions
LenovoThinkagile Hx2330 FirmwareAll versions
LenovoThinkagile Hx2331 FirmwareAll versions
LenovoThinkagile Hx3330 FirmwareAll versions
LenovoThinkagile Hx3331 FirmwareAll versions
LenovoThinkagile Hx3375 FirmwareAll versions
LenovoThinkagile Hx3376 FirmwareAll versions
LenovoThinkagile Hx5531 FirmwareAll versions
LenovoThinkagile Hx7531 FirmwareAll versions
LenovoThinkagile Mx3330-F All-Flash FirmwareAll versions
LenovoThinkagile Mx3330-H Hybrid FirmwareAll versions
LenovoThinkagile Mx3331-F All-Flash FirmwareAll versions
LenovoThinkagile Mx3331-H Hybrid FirmwareAll versions
LenovoThinkagile Mx3530 F All Flash FirmwareAll versions
LenovoThinkagile Mx3530-H Hybrid FirmwareAll versions
LenovoThinkagile Mx3531 H Hybrid FirmwareAll versions
LenovoThinkagile Mx3531-F All-Flash FirmwareAll versions
LenovoThinkagile Vx2330 FirmwareAll versions
LenovoThinkagile Vx3330 FirmwareAll versions
LenovoThinkagile Vx3530-G FirmwareAll versions
LenovoThinkagile Vx5530 FirmwareAll versions
LenovoThinkagile Vx7330 FirmwareAll versions
LenovoThinkagile Vx7530 FirmwareAll versions
LenovoThinkagile Vx7531 FirmwareAll versions
LenovoThinksystem Sd630 V2 FirmwareAll versions
LenovoThinksystem Sd650 V2 FirmwareAll versions
LenovoThinksystem Sd650 V3 FirmwareAll versions
LenovoThinksystem Sd650-N V2 FirmwareAll versions
LenovoThinksystem Sd665 V3 FirmwareAll versions
LenovoThinksystem Sn550 V2 FirmwareAll versions
LenovoThinksystem Sr250 FirmwareAll versions
LenovoThinksystem Sr258 V2 FirmwareAll versions
LenovoThinksystem Sr630 V2 FirmwareAll versions
LenovoThinksystem Sr630 V3 FirmwareAll versions
LenovoThinksystem Sr635 V3 FirmwareAll versions
LenovoThinksystem Sr645 FirmwareAll versions
LenovoThinksystem Sr645 V3 FirmwareAll versions
LenovoThinksystem Sr650 V2 FirmwareAll versions
LenovoThinksystem Sr650 V3 FirmwareAll versions
LenovoThinksystem Sr655 V3 FirmwareAll versions
LenovoThinksystem Sr665 FirmwareAll versions
LenovoThinksystem Sr665 V3 FirmwareAll versions
LenovoThinksystem Sr670 FirmwareAll versions
LenovoThinksystem Sr670 V2 FirmwareAll versions
LenovoThinksystem Sr675 V3 FirmwareAll versions
LenovoThinksystem Sr850 V2 FirmwareAll versions
LenovoThinksystem Sr850 V3 FirmwareAll versions

Showing 50 of 123 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-4607?
An authenticated XCC user can change permissions for any user through a crafted API command.
How severe is CVE-2023-4607?
CVE-2023-4607 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.43% probability of exploitation in the next 30 days.
How do I fix CVE-2023-4607?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-4607?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST