CVE-2023-29057
high-risk
Published 2023-04-28
A valid XCC user's local account permissions overrides their active directory permissions under specific configurations. This could lead to a privilege escalation. To be vulnerable, LDAP must be configured for authentication/authorization and logins configured as “Local First, then LDAP”.
Do I need to act?
-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.3/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Thinkagile Hx5530 Firmware
Thinkagile Hx7530 Firmware
Thinkagile Vx3331 Firmware
Thinkagile Hx Enclosure Firmware
Thinkagile Hx1021 Firmware
Thinkagile Hx1320 Firmware
Thinkagile Hx1321 Firmware
Thinkagile Hx1331 Firmware
Thinkagile Hx1520-R Firmware
Thinkagile Hx1521-R Firmware
Thinkagile Hx2320-E Firmware
Thinkagile Hx2321 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2331 Firmware
Thinkagile Hx2720-E Firmware
Thinkagile Hx3320 Firmware
Thinkagile Hx3321 Firmware
Thinkagile Hx3330 Firmware
Thinkagile Hx3331 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-118321
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-118321
58
/ 100
high-risk
Severity
26/34 · High
Exploitability
1/34 · Minimal
Exposure
31/34 · Critical