Privilege Escalation in Lenovo Products Due to Local Account Permissions Misconfiguration
CVE-2023-29057

7.3HIGH

Key Information:

Vendor: Lenovo
Status: Xclarity Controller
Vendor: CVE Published:; 28 April 2023

Summary

A misconfiguration in certain Lenovo products allows a valid XCC user's local account permissions to override their Active Directory permissions. This occurs under specific conditions where LDAP is configured for authentication and authorization, and the login sequence is set to 'Local First, then LDAP'. This configuration can lead to unauthorized access and privilege escalation, putting sensitive data and systems at risk.

Affected Version(s)

XClarity Controller Refer to Mitigation strategy section in LEN-118321

References

https://support.lenovo.com/us/en/product_security/LEN-118321

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 28, 2023
Vulnerability Reserved
Mar 30, 2023