Details of VAR-202310-1031

ID

VAR-202310-1031

CVE

CVE-2023-4607

DESCRIPTION

An authenticated XCC user can change permissions for any user through a crafted API command

Trust: 0.99

sources: NVD: CVE-2023-4607 // VULMON: CVE-2023-4607

AFFECTED PRODUCTS

vendor:	lenovo	model:	thinksystem sr860 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr590	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2321	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1521-r	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr630 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr630 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr670 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr675 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr635 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx edge- mx1020	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sn850	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx5530	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7330	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr850p	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7530	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3321	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx5520	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3530-h hybrid	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3330-h hybrid	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3531 h hybrid	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr650	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2331	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr665 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2320-e	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr158	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2720-e	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7520 n	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr550	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr258 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd530	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr850	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr860	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3720	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx630 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1021 edg	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3721	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3320	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr950	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr670	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3521-g	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr665	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr655 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7820	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr850 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3331	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st258	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3530-g	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx 2u4n	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st658 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650-n v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7530	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr850 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st658 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd665 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr860 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3331-f all-flash	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5521-c	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st258 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx enclosure	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem se350	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx 4u	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3531-f all-flash	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5520	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7531	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3331	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr645	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr645 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7521	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx2320	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx2330	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd630 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr258	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st650 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3520-g	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx650 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7320 n	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3320	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx2330	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx1021 on se350	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3520-g	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st550	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sn550 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1320	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5521	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx3330	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr570	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3330	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3530 f all flash	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1321	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1520-r	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx630 v3 intergrated system	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr650 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sn550	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st250 v2	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx 1se	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx1331	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr250	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr150	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st650 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5520-c	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem st250	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx1320	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7820	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr530	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3331-h hybrid	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7531	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx650 v3 intergrated system	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650 dual node tray	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr650 v3	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile mx3330-f all-flash	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7520	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx7821	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3375	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkedge se450	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3376	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5530	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile vx7520	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx5531	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sr630	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinkagile hx3720	scope:	eq	version:	-	Trust: 1.0
vendor:	lenovo	model:	thinksystem sd650 dwc dual node tray	scope:	eq	version:	-	Trust: 1.0

sources: NVD: CVE-2023-4607

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-4607
value:	HIGH
Trust: 1.0
psirt@lenovo.com:	CVE-2023-4607
value:	HIGH
Trust: 1.0

nvd@nist.gov:	CVE-2023-4607
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
psirt@lenovo.com:	CVE-2023-4607
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: NVD: CVE-2023-4607 // NVD: CVE-2023-4607

PROBLEMTYPE DATA

problemtype:

CWE-269

Trust: 1.0

sources: NVD: CVE-2023-4607

EXTERNAL IDS

db:	LENOVO	id:	LEN-140960	Trust: 1.1
db:	NVD	id:	CVE-2023-4607	Trust: 1.1
db:	VULMON	id:	CVE-2023-4607	Trust: 0.1

sources: VULMON: CVE-2023-4607 // NVD: CVE-2023-4607

REFERENCES

url:	https://support.lenovo.com/us/en/product_security/len-140960	Trust: 1.1
url:	https://cwe.mitre.org/data/definitions/269.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-4607 // NVD: CVE-2023-4607

SOURCES

db:	VULMON	id:	CVE-2023-4607
db:	NVD	id:	CVE-2023-4607

LAST UPDATE DATE

2024-08-14T14:42:59.045000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-4607	date:	2023-10-25T00:00:00
db:	NVD	id:	CVE-2023-4607	date:	2023-11-07T19:14:20.553

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-4607	date:	2023-10-25T00:00:00
db:	NVD	id:	CVE-2023-4607	date:	2023-10-25T18:17:41.560