CVE-2023-4606
First published: Tue Oct 24 2023(Updated: )
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
Credit: psirt@lenovo.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Lenovo ThinkAgile HX5530 Firmware | ||
| Lenovo ThinkAgile HX5530 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX7530 Firmware | ||
| Lenovo ThinkAgile HX7530 Firmware | ||
| All of | ||
| Lenovo ThinkAgile VX3331 Firmware | ||
| Lenovo ThinkAgile VX3331 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX1331 Firmware | ||
| Lenovo ThinkAgile HX1331 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX2330 Firmware | ||
| Lenovo ThinkAgile HX2330 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX2331 Firmware | ||
| Lenovo ThinkAgile HX2331 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX3331 Firmware | ||
| Lenovo ThinkAgile HX3330 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX3331 Firmware | ||
| Lenovo ThinkAgile HX3331 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX3375 | ||
| Lenovo ThinkAgile HX3375 | ||
| All of | ||
| Lenovo ThinkAgile HX3376 Firmware | ||
| Lenovo ThinkAgile HX3376 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX5531 Firmware | ||
| Lenovo ThinkAgile HX5531 Firmware | ||
| All of | ||
| Lenovo ThinkAgile HX7531 Firmware | ||
| Lenovo ThinkAgile HX7531 Firmware | ||
| All of | ||
| Lenovo ThinkAgile MX Certified Node - All Flash Firmware | ||
| Lenovo ThinkAgile MX - All Flash | ||
| All of | ||
| Lenovo ThinkAgile MX3330-H Firmware | ||
| Lenovo ThinkAgile MX3330-H Hybrid Firmware | ||
| All of | ||
| Lenovo ThinkAgile MX Certified Node - All Flash Firmware | ||
| Lenovo ThinkAgile MX3331-F Firmware | ||
| All of | ||
| Lenovo ThinkAgile MX - Hybrid Firmware | ||
| Lenovo ThinkAgile MX3331-H Firmware | ||
| All of | ||
| Lenovo ThinkAgile MX Certified Node - All Flash Firmware | ||
| Lenovo ThinkAgile MX3530 F All Flash | ||
| All of | ||
| Lenovo ThinkAgile MX3530-H Firmware | ||
| Lenovo ThinkAgile MX3530-H Firmware | ||
| All of | ||
| Lenovo ThinkAgile MX - Hybrid Firmware | ||
| Lenovo ThinkAgile MX3531 H Hybrid Firmware | ||
| All of | ||
| Lenovo ThinkAgile MX Certified Node - All Flash Firmware | ||
| Lenovo ThinkAgile MX3531-F | ||
| All of | ||
| Lenovo ThinkAgile VX2330 Firmware | ||
| Lenovo ThinkAgile VX2330 | ||
| All of | ||
| Lenovo ThinkAgile VX3330 Firmware | ||
| Lenovo ThinkAgile VX3330 Firmware | ||
| All of | ||
| Lenovo ThinkAgile VX3530-G Firmware | ||
| Lenovo ThinkAgile VX3530-G Firmware | ||
| All of | ||
| Lenovo ThinkAgile VX5530 Firmware | ||
| Lenovo ThinkAgile VX5530 Firmware | ||
| All of | ||
| Lenovo ThinkAgile VX7330 Firmware | ||
| Lenovo ThinkAgile VX7330 Firmware | ||
| All of | ||
| Lenovo ThinkAgile VX7530 | ||
| Lenovo ThinkAgile VX7530 | ||
| All of | ||
| Lenovo ThinkAgile VX7531 Firmware | ||
| Lenovo ThinkAgile VX7531 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SD630 V2 | ||
| Lenovo ThinkSystem SD630 V2 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SD650-N V2 Firmware | ||
| Lenovo ThinkSystem SD650 V2 Firmware | ||
| Lenovo ThinkSystem SD650 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SD650-N V2 Firmware | ||
| Lenovo ThinkSystem SD650-N V2 Firmware | ||
| Lenovo ThinkSystem SD665 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SN550 V2 Firmware | ||
| Lenovo ThinkSystem SN550 V2 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR250 Firmware | ||
| Lenovo ThinkSystem SR250 V2 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR258 V2 Firmware | ||
| Lenovo ThinkSystem SR258 V2 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR630 V2 | ||
| Lenovo ThinkSystem SR630 V2 Firmware | ||
| Lenovo ThinkSystem SR630 V3 Firmware | ||
| Lenovo ThinkSystem SR635 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR645 Firmware | ||
| Lenovo ThinkSystem SR645 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR645 Firmware | ||
| Lenovo ThinkSystem SR645 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR650 Firmware | ||
| Lenovo ThinkSystem SR650 V2 Firmware | ||
| Lenovo ThinkSystem SR650 Firmware | ||
| Lenovo ThinkSystem SR655 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR665 Firmware | ||
| Lenovo ThinkSystem SR665 | ||
| Lenovo ThinkSystem SD665 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR670 V2 | ||
| Lenovo ThinkSystem SR670 V2 | ||
| All of | ||
| Lenovo ThinkSystem SR670 V2 | ||
| Lenovo ThinkSystem SR670 | ||
| Lenovo ThinkSystem SR675 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR850 V2 Firmware | ||
| Lenovo ThinkSystem SR850 V2 Firmware | ||
| Lenovo ThinkSystem SR850 Firmware | ||
| All of | ||
| Lenovo ThinkSystem SR860 V2 Firmware | ||
| Lenovo ThinkSystem SR860 V2 Firmware | ||
| Lenovo ThinkSystem SR860 Firmware | ||
| All of | ||
| lenovo thinksystem st250 v2 firmware | ||
| lenovo thinksystem st250 v2 firmware | ||
| All of | ||
| Lenovo ThinkSystem ST258 Firmware | ||
| Lenovo ThinkSystem ST258 Firmware | ||
| All of | ||
| Lenovo ThinkSystem ST650 V2 | ||
| Lenovo ThinkSystem ST650 V2 Firmware | ||
| Lenovo ThinkSystem ST650 V3 Firmware | ||
| All of | ||
| Lenovo ThinkSystem ST658 V2 | ||
| Lenovo ThinkSystem ST658 V2 Firmware | ||
| Lenovo ThinkSystem ST658 V3 Firmware |
Remedy
Upgrade to the product version (or newer) indicated for your model in the advisory: https://support.lenovo.com/us/en/product_security/LEN-140960
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-4606?
CVE-2023-4606 is considered to be of high severity due to the impact it has on user password security.
How do I fix CVE-2023-4606?
To remediate CVE-2023-4606, update to the latest firmware version from Lenovo that addresses this vulnerability.
Who is affected by CVE-2023-4606?
CVE-2023-4606 affects authenticated XCC users with Read-Only permission on ThinkSystem v2 and v3 servers.
What can an attacker do with CVE-2023-4606?
An attacker exploiting CVE-2023-4606 can change the password of a different user without proper permissions.
Are ThinkSystem v1 servers vulnerable to CVE-2023-4606?
No, ThinkSystem v1 servers are not affected by CVE-2023-4606.
- agent/type
- agent/remedy
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/lenovo
- canonical/lenovo thinkagile hx5530 firmware
- canonical/lenovo thinkagile hx7530 firmware
- canonical/lenovo thinkagile vx3331 firmware
- canonical/lenovo thinkagile hx1331 firmware
- canonical/lenovo thinkagile hx2330 firmware
- canonical/lenovo thinkagile hx2331 firmware
- canonical/lenovo thinkagile hx3331 firmware
- canonical/lenovo thinkagile hx3330 firmware
- canonical/lenovo thinkagile hx3375
- canonical/lenovo thinkagile hx3376 firmware
- canonical/lenovo thinkagile hx5531 firmware
- canonical/lenovo thinkagile hx7531 firmware
- canonical/lenovo thinkagile mx certified node - all flash firmware
- canonical/lenovo thinkagile mx - all flash
- canonical/lenovo thinkagile mx3330-h firmware
- canonical/lenovo thinkagile mx3330-h hybrid firmware
- canonical/lenovo thinkagile mx3331-f firmware
- canonical/lenovo thinkagile mx - hybrid firmware
- canonical/lenovo thinkagile mx3331-h firmware
- canonical/lenovo thinkagile mx3530 f all flash
- canonical/lenovo thinkagile mx3530-h firmware
- canonical/lenovo thinkagile mx3531 h hybrid firmware
- canonical/lenovo thinkagile mx3531-f
- canonical/lenovo thinkagile vx2330 firmware
- canonical/lenovo thinkagile vx2330
- canonical/lenovo thinkagile vx3330 firmware
- canonical/lenovo thinkagile vx3530-g firmware
- canonical/lenovo thinkagile vx5530 firmware
- canonical/lenovo thinkagile vx7330 firmware
- canonical/lenovo thinkagile vx7530
- canonical/lenovo thinkagile vx7531 firmware
- canonical/lenovo thinksystem sd630 v2
- canonical/lenovo thinksystem sd630 v2 firmware
- canonical/lenovo thinksystem sd650-n v2 firmware
- canonical/lenovo thinksystem sd650 v2 firmware
- canonical/lenovo thinksystem sd650 v3 firmware
- canonical/lenovo thinksystem sd665 v3 firmware
- canonical/lenovo thinksystem sn550 v2 firmware
- canonical/lenovo thinksystem sr250 firmware
- canonical/lenovo thinksystem sr250 v2 firmware
- canonical/lenovo thinksystem sr258 v2 firmware
- canonical/lenovo thinksystem sr630 v2
- canonical/lenovo thinksystem sr630 v2 firmware
- canonical/lenovo thinksystem sr630 v3 firmware
- canonical/lenovo thinksystem sr635 v3 firmware
- canonical/lenovo thinksystem sr645 firmware
- canonical/lenovo thinksystem sr645 v3 firmware
- canonical/lenovo thinksystem sr650 firmware
- canonical/lenovo thinksystem sr650 v2 firmware
- canonical/lenovo thinksystem sr655 v3 firmware
- canonical/lenovo thinksystem sr665 firmware
- canonical/lenovo thinksystem sr665
- canonical/lenovo thinksystem sr670 v2
- canonical/lenovo thinksystem sr670
- canonical/lenovo thinksystem sr675 v3 firmware
- canonical/lenovo thinksystem sr850 v2 firmware
- canonical/lenovo thinksystem sr850 firmware
- canonical/lenovo thinksystem sr860 v2 firmware
- canonical/lenovo thinksystem sr860 firmware
- canonical/lenovo thinksystem st250 v2 firmware
- canonical/lenovo thinksystem st258 firmware
- canonical/lenovo thinksystem st650 v2
- canonical/lenovo thinksystem st650 v2 firmware
- canonical/lenovo thinksystem st650 v3 firmware
- canonical/lenovo thinksystem st658 v2
- canonical/lenovo thinksystem st658 v2 firmware
- canonical/lenovo thinksystem st658 v3 firmware