XCC Vulnerability in Lenovo Product Allows Unauthorized Role Modification
CVE-2023-29058

6.4MEDIUM

Key Information:

Vendor: Lenovo
Status: Xclarity Controller
Vendor: CVE Published:; 28 April 2023

Summary

An improperly configured access control in Lenovo's XCC allows a valid authenticated user with read-only permissions to modify custom user roles for other accounts and alter trespass messages via the XCC CLI. This oversight can lead to unauthorized privilege escalation if SSH is enabled and read-only permissions are assigned to multiple users. It is essential to ensure that SSH is disabled or that proper user permissions are allocated to minimize risks.

Affected Version(s)

XClarity Controller Refer to Mitigation strategy section in LEN-118321

References

https://support.lenovo.com/us/en/product_security/LEN-118321

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 28, 2023
Vulnerability Reserved
Mar 30, 2023