Vulnerabilities > CVE-2023-2993 - Improper Preservation of Permissions vulnerability in Lenovo products

CVSS 6.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

LOW

network

low complexity

lenovo

CWE-281

NVD

Published: 2023-06-26

Updated: 2023-07-05

Summary

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.

Vulnerable Configurations

Part	Description	Count
OS	Lenovo Lenovo Nextscale N1200 Enclosure Firmware - Lenovo Nextscale N1200 Enclosure Firmware Fhet50B-2.90 Lenovo Thinkagile CP CB 10 Firmware * Lenovo Thinkagile CP CB 10E Firmware * Lenovo Thinkagile HX Enclosure Certified Node Firmware - Lenovo Thinkagile HX Enclosure Certified Node Firmware Tesm28B-1.21 Lenovo Thinkagile VX Enclosure Firmware - Lenovo Thinkagile VX Enclosure Firmware Tesm28B-1.21 Lenovo Thinksystem D2 Enclosure Firmware - Lenovo Thinksystem D2 Enclosure Firmware Tesm28B-1.21 Lenovo Thinksystem Da240 Enclosure Firmware * Lenovo Thinksystem Dw612 Enclosure Firmware *	12
Hardware	Lenovo Lenovo Nextscale N1200 Enclosure - Lenovo Thinkagile CP CB 10 - Lenovo Thinkagile CP CB 10E - Lenovo Thinkagile HX Enclosure Certified Node - Lenovo Thinkagile VX Enclosure - Lenovo Thinksystem D2 Enclosure - Lenovo Thinksystem Da240 Enclosure - Lenovo Thinksystem Dw612 Enclosure -	8

Common Weakness Enumeration (CWE)

CWE-281 - Improper Preservation of Permissions

References

https://support.lenovo.com/us/en/product_security/LEN-127357