CVE-2023-29056
high-risk
Published 2023-04-28
A valid LDAP user, under specific conditions, will default to read-only permissions when authenticating into XCC. To be vulnerable, XCC must be configured to use an LDAP server for Authentication/Authorization and have the login permission attribute not defined.
Do I need to act?
-
0.20% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Thinkagile Hx5530 Firmware
Thinkagile Hx7530 Firmware
Thinkagile Vx3331 Firmware
Thinkagile Hx Enclosure Firmware
Thinkagile Hx1021 Firmware
Thinkagile Hx1320 Firmware
Thinkagile Hx1321 Firmware
Thinkagile Hx1331 Firmware
Thinkagile Hx1520-R Firmware
Thinkagile Hx1521-R Firmware
Thinkagile Hx2320-E Firmware
Thinkagile Hx2321 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2331 Firmware
Thinkagile Hx2720-E Firmware
Thinkagile Hx3320 Firmware
Thinkagile Hx3321 Firmware
Thinkagile Hx3330 Firmware
Thinkagile Hx3331 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-118321
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-118321
53
/ 100
high-risk
Severity
21/34 · High
Exploitability
1/34 · Minimal
Exposure
31/34 · Critical