CVE-2023-4606

Published: Oct 25, 2023Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

Affected (58)

Lenovo

58 products

Thinkagile Hx5530 Firmware

Thinkagile Vx3331 Firmware

Thinkagile Hx1331 Firmware

Thinkagile Hx2330 Firmware

Thinkagile Hx2331 Firmware

Thinkagile Hx3330 Firmware

Thinkagile Hx3331 Firmware

Thinkagile Hx3375 Firmware

Thinkagile Hx3376 Firmware

Thinkagile Hx5531 Firmware

Thinkagile Hx7530 Firmware

Thinkagile Hx7531 Firmware

Thinkagile Mx3330 F All Flash Firmware

Thinkagile Mx3330 H Hybrid Firmware

Thinkagile Mx3331 F All Flash Firmware

Thinkagile Mx3331 H Hybrid Firmware

Thinkagile Mx3530 F All Flash Firmware

Thinkagile Mx3530 H Hybrid Firmware

Thinkagile Mx3531 H Hybrid Firmware

Thinkagile Mx3531 F All Flash Firmware

Thinkagile Vx2330 Firmware

Thinkagile Vx3330 Firmware

Thinkagile Vx3530 G Firmware

Thinkagile Vx5530 Firmware

Thinkagile Vx7330 Firmware

Thinkagile Vx7530 Firmware

Thinkagile Vx7531 Firmware

Thinksystem Sd630 V2 Firmware

Thinksystem Sd650 V2 Firmware

Thinksystem Sd650 V3 Firmware

Thinksystem Sd650 N V2 Firmware

Thinksystem Sd665 V3 Firmware

Thinksystem Sn550 V2 Firmware

Thinksystem Sr250 Firmware

Thinksystem Sr258 V2 Firmware

Thinksystem Sr630 V2 Firmware

Thinksystem Sr630 V3 Firmware

Thinksystem Sr635 V3 Firmware

Thinksystem Sr645 Firmware

Thinksystem Sr645 V3 Firmware

Thinksystem Sr650 V2 Firmware

Thinksystem Sr650 V3 Firmware

Thinksystem Sr655 V3 Firmware

Thinksystem Sr665 Firmware

Thinksystem Sr665 V3 Firmware

Thinksystem Sr670 Firmware

Thinksystem Sr670 V2 Firmware

Thinksystem Sr675 V3 Firmware

Thinksystem Sr850 V2 Firmware

Thinksystem Sr850 V3 Firmware

Thinksystem Sr860 V2 Firmware

Thinksystem Sr860 V3 Firmware

Thinksystem St250 V2 Firmware

Thinksystem St258 V2 Firmware

Thinksystem St650 V2 Firmware

Thinksystem St650 V3 Firmware

Thinksystem St658 V2 Firmware

Thinksystem St658 V3 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx5530 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx5530	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx3331 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx3331	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx1331 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx1331	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx2330 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx2330	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx2331 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx2331	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx3330 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx3330	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx3331 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx3331	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx3375 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx3375	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx3376 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx3376	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx5531 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx5531	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx7530 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx7530	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Hx7531 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Hx7531	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3330 F All Flash Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3330 F All Flash	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3330 H Hybrid Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3330 H Hybrid	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3331 F All Flash Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3331 F All Flash	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3331 H Hybrid Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3331 H Hybrid	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3530 F All Flash Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3530 F All Flash	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3530 H Hybrid Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3530 H Hybrid	All versions

Configuration V

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3531 H Hybrid Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3531 H Hybrid	All versions

Configuration W

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Mx3531 F All Flash Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Mx3531 F All Flash	All versions

Configuration X

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx2330 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx2330	All versions

Configuration Y

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx3330 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx3330	All versions

Configuration Z

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx3530 G Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx3530 G	All versions

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx5530 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx5530	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx7330 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx7330	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx7530 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx7530	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinkagile Vx7531 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinkagile Vx7531	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sd630 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sd630 V2	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sd650 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sd650 V2	All versions

Configuration G

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sd650 V3 Firmware	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sd650 N V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sd650 N V2	All versions

Configuration I

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sd665 V3 Firmware	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sn550 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sn550 V2	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr250 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr250 V2	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr258 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr258 V2	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr630 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr630 V2	All versions

Configuration N

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr630 V3 Firmware	All versions

Configuration O

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr635 V3 Firmware	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr645 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr645	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr645 V3 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr645 V3	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr650 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr650 V2	All versions

Configuration S

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr650 V3 Firmware	All versions

Configuration T

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr655 V3 Firmware	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr665 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr665	All versions

Configuration V

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr665 V3 Firmware	All versions

Configuration W

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr670 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr670	All versions

Configuration X

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr670 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr670 V2	All versions

Configuration Y

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr675 V3 Firmware	All versions

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr850 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr850 V2	All versions

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr850 V3 Firmware	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr860 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem Sr860 V2	All versions

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem Sr860 V3 Firmware	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem St250 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem St250 V2	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem St258 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem St258 V2	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem St650 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem St650 V2	All versions

Configuration I

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem St650 V3 Firmware	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Thinksystem St658 V2 Firmware	All versions

Running on/with	Platform Versions
Lenovo Thinksystem St658 V2	All versions

Configuration K

1 vulnerable

Vulnerable Software	Affected Versions
Lenovo Thinksystem St658 V3 Firmware	All versions

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://support.lenovo.com/us/en/product_security/LEN-140960

Source: psirt@lenovo.com

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-140960

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.