Details of VAR-202304-2262

ID

VAR-202304-2262

CVE

CVE-2023-29058

TITLE

plural Lenovo Product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2023-009601

DESCRIPTION

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions. thinkagile hx5530 firmware, thinkagile hx7530 firmware, ThinkAgile VX3331 firmware etc. Lenovo There are unspecified vulnerabilities in the product.Information may be tampered with

Trust: 1.71

sources: NVD: CVE-2023-29058 // JVNDB: JVNDB-2023-009601 // VULMON: CVE-2023-29058

AFFECTED PRODUCTS

vendor:	lenovo	model:	thinksystem sr650 v2	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5520	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem st258 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr258	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1331	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr650	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx1320	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx2320	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd630 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2320-e	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr158	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3320	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx 1se	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2720-e	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr550	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7531	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3530 f	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd530	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem st250	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3331	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1320	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5521-c	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3720	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3531 h	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr950	scope:	lt	version:	2.75_psi348s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1321	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2330	scope:	eq	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3375	scope:	lt	version:	4.71_d8bt48p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr670	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr250	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7531	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5530	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem st250 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7530	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7521	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkstation p920	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem st258	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3320	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3331	scope:	lt	version:	4.71_d8bt48p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3720	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr530	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1521-r	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3330	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sn850	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2331	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7520	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx enclosure	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem se350	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5531	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr630	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr645	scope:	lt	version:	4.71_d8bt48p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2321	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr645 v3	scope:	lt	version:	4.71_d8bt48p	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx1020	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr850p	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr250 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3520-g	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7320 n	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3521-g	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3321	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7820	scope:	lt	version:	2.75_psi348s	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr850	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1021	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem st550	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx5520	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr570	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1520-r	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sn550 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3530-g	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sn550	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7820	scope:	lt	version:	2.75_psi348s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3520-g	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3331-h	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr860	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem st650 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr670 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7520 n	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5521	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr150	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7821	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3531-f	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx 2u4n	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr665	scope:	lt	version:	4.71_d8bt48p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7531	scope:	lt	version:	2.75_psi348s	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3721	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx5530	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7330	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7530	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr258 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3331	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5520-c	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr630 v2	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx 4u	scope:	lt	version:	2.75_psi348s	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3330-f	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx2330	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3376	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7520	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2330	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3330-h	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr590	scope:	lt	version:	8.88_cdi3a4a	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3331-f	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650-n v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinksystem st658 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr860 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinkedge se450	scope:	lt	version:	1.60_usx324o	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3330	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3530-h	scope:	lt	version:	2.93_afbt30p	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx1021 on se350	scope:	lt	version:	3.72_tei388s	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr850 v2	scope:	lt	version:	2.60_tgbt42h	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr665 v3	scope:	lt	version:	4.71_d8bt48p	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7530	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx1321	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx2320-e	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx2321	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx2330	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx enclosure	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx1521-r	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx2720-e	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx3321	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx3330	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile vx3331	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx1331	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx3320	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx1021	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx3331	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx1520-r	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx1320	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx2331	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkagile hx5530	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-009601 // NVD: CVE-2023-29058

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-29058
value:	MEDIUM
Trust: 1.0
psirt@lenovo.com:	CVE-2023-29058
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-29058
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202304-2274
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-29058
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
psirt@lenovo.com:	CVE-2023-29058
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.5
version:	3.1
Trust: 1.0
NVD:	CVE-2023-29058
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-009601 // CNNVD: CNNVD-202304-2274 // NVD: CVE-2023-29058 // NVD: CVE-2023-29058

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-009601 // NVD: CVE-2023-29058

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-2274

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202304-2274

PATCH

title:

Lenovo XClarity Controller Security vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=236402

Trust: 0.6

sources: CNNVD: CNNVD-202304-2274

EXTERNAL IDS

db:	NVD	id:	CVE-2023-29058	Trust: 3.3
db:	LENOVO	id:	LEN-118321	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-009601	Trust: 0.8
db:	CNNVD	id:	CNNVD-202304-2274	Trust: 0.6
db:	VULMON	id:	CVE-2023-29058	Trust: 0.1

sources: VULMON: CVE-2023-29058 // JVNDB: JVNDB-2023-009601 // CNNVD: CNNVD-202304-2274 // NVD: CVE-2023-29058

REFERENCES

url:	https://support.lenovo.com/us/en/product_security/len-118321	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-29058	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-29058/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-29058 // JVNDB: JVNDB-2023-009601 // CNNVD: CNNVD-202304-2274 // NVD: CVE-2023-29058

SOURCES

db:	VULMON	id:	CVE-2023-29058
db:	JVNDB	id:	JVNDB-2023-009601
db:	CNNVD	id:	CNNVD-202304-2274
db:	NVD	id:	CVE-2023-29058

LAST UPDATE DATE

2024-08-14T13:52:32.640000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-29058	date:	2023-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2023-009601	date:	2023-12-06T02:46:00
db:	CNNVD	id:	CNNVD-202304-2274	date:	2023-05-09T00:00:00
db:	NVD	id:	CVE-2023-29058	date:	2023-05-08T17:27:52.427

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-29058	date:	2023-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2023-009601	date:	2023-12-06T00:00:00
db:	CNNVD	id:	CNNVD-202304-2274	date:	2023-04-28T00:00:00
db:	NVD	id:	CVE-2023-29058	date:	2023-04-28T21:15:08.750