CVE-2023-2993

Published: Jun 26, 2023Modified: Nov 21, 2024

6.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Exploitability: 2.8 / Impact: 3.4

Source: NVD

Description

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.

Affected (8)

Products: Lenovo: Nextscale N1200 Enclosure Firmware, Thinkagile Cp Cb 10 Firmware, Thinkagile Cp Cb 10e Firmware, Thinkagile Hx Enclosure Certified Node Firmware, Thinkagile Vx Enclosure Firmware, Thinksystem D2 Enclosure Firmware, Thinksystem Da240 Enclosure Firmware, Thinksystem Dw612 Enclosure Firmware

Lenovo

8 products

Nextscale N1200 Enclosure Firmware

Thinkagile Cp Cb 10 Firmware

Thinkagile Cp Cb 10e Firmware

Thinkagile Hx Enclosure Certified Node Firmware

Thinkagile Vx Enclosure Firmware

Thinksystem D2 Enclosure Firmware

Thinksystem Da240 Enclosure Firmware

Thinksystem Dw612 Enclosure Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Nextscale N1200 Enclosure Firmware	Before fhet60b-3.40

Running on/with	Platform Versions
Lenovo Nextscale N1200 Enclosure	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Cp Cb 10 Firmware	Before tesm38c-1.26

Running on/with	Platform Versions
Lenovo Thinkagile Cp Cb 10	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Cp Cb 10e Firmware	Before tesm38c-1.26

Running on/with	Platform Versions
Lenovo Thinkagile Cp Cb 10e	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx Enclosure Certified Node Firmware	Before tesm38c-1.26

Running on/with	Platform Versions
Lenovo Thinkagile Hx Enclosure Certified Node	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx Enclosure Firmware	Before tesm38c-1.26

Running on/with	Platform Versions
Lenovo Thinkagile Vx Enclosure	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem D2 Enclosure Firmware	Before tesm38c-1.26

Running on/with	Platform Versions
Lenovo Thinksystem D2 Enclosure	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Da240 Enclosure Firmware	Before umsm10s-1.07

Running on/with	Platform Versions
Lenovo Thinksystem Da240 Enclosure	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Dw612 Enclosure Firmware	Before umsm10s-1.07

Running on/with	Platform Versions
Lenovo Thinksystem Dw612 Enclosure	All versions

Related CWEs

CWE-281

Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References (2)

https://support.lenovo.com/us/en/product_security/LEN-127357

Source: psirt@lenovo.com

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-127357

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.