Skip to main content

Thinkagile Hx5530 Firmware CVE-2023-4606

HIGH
Missing Authorization (CWE-862)
2023-10-25 psirt@lenovo.com
Authentication Bypass Thinkagile Hx5530 Firmware Thinkagile Hx7530 Firmware Thinkagile Vx3331 Firmware Thinkagile Hx1331 Firmware Thinkagile Hx2330 Firmware Thinkagile Hx2331 Firmware Thinkagile Hx3330 Firmware Thinkagile Hx3331 Firmware Thinkagile Hx3375 Firmware Thinkagile Hx3376 Firmware Thinkagile Hx5531 Firmware Thinkagile Hx7531 Firmware Thinkagile Mx3330 F All Flash Firmware Thinkagile Mx3330 H Hybrid Firmware Thinkagile Mx3331 F All Flash Firmware Thinkagile Mx3331 H Hybrid Firmware Thinkagile Mx3530 F All Flash Firmware Thinkagile Mx3530 H Hybrid Firmware Thinkagile Mx3531 H Hybrid Firmware Thinkagile Mx3531 F All Flash Firmware Thinkagile Vx2330 Firmware Thinkagile Vx3330 Firmware Thinkagile Vx3530 G Firmware Thinkagile Vx5530 Firmware Thinkagile Vx7330 Firmware Thinkagile Vx7530 Firmware Thinkagile Vx7531 Firmware Thinksystem Sd630 V2 Firmware Thinksystem Sd650 V2 Firmware Thinksystem Sd650 V3 Firmware Thinksystem Sd650 N V2 Firmware Thinksystem Sd665 V3 Firmware Thinksystem Sn550 V2 Firmware Thinksystem Sr250 Firmware Thinksystem Sr258 V2 Firmware Thinksystem Sr630 V2 Firmware Thinksystem Sr630 V3 Firmware Thinksystem Sr635 V3 Firmware Thinksystem Sr645 Firmware Thinksystem Sr645 V3 Firmware Thinksystem Sr650 V2 Firmware Thinksystem Sr650 V3 Firmware Thinksystem Sr655 V3 Firmware Thinksystem Sr665 Firmware Thinksystem Sr665 V3 Firmware Thinksystem Sr670 Firmware Thinksystem Sr670 V2 Firmware Thinksystem Sr675 V3 Firmware Thinksystem Sr850 V2 Firmware Thinksystem Sr850 V3 Firmware Thinksystem Sr860 V2 Firmware Thinksystem Sr860 V3 Firmware Thinksystem St250 V2 Firmware Thinksystem St258 V2 Firmware Thinksystem St650 V2 Firmware Thinksystem St650 V3 Firmware Thinksystem St658 V2 Firmware Thinksystem St658 V3 Firmware
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 25, 2023 - 18:17 nvd
HIGH 8.1

DescriptionNVD

An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.

This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

AnalysisAI

An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected. Affected products include: Lenovo Thinkagile Hx5530 Firmware, Lenovo Thinkagile Hx7530 Firmware, Lenovo Thinkagile Vx3331 Firmware, Lenovo Thinkagile Hx1331 Firmware, Lenovo Thinkagile Hx2330 Firmware.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

Share

CVE-2023-4606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy