CVE-2023-29058
high-risk
Published 2023-04-28
A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.
Do I need to act?
-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.4/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Thinkagile Hx5530 Firmware
Thinkagile Hx7530 Firmware
Thinkagile Vx3331 Firmware
Thinkagile Hx Enclosure Firmware
Thinkagile Hx1021 Firmware
Thinkagile Hx1320 Firmware
Thinkagile Hx1321 Firmware
Thinkagile Hx1331 Firmware
Thinkagile Hx1520-R Firmware
Thinkagile Hx1521-R Firmware
Thinkagile Hx2320-E Firmware
Thinkagile Hx2321 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2330 Firmware
Thinkagile Hx2331 Firmware
Thinkagile Hx2720-E Firmware
Thinkagile Hx3320 Firmware
Thinkagile Hx3321 Firmware
Thinkagile Hx3330 Firmware
Thinkagile Hx3331 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-118321
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-118321
55
/ 100
high-risk
Severity
24/34 · High
Exploitability
0/34 · Minimal
Exposure
31/34 · Critical