CVE-2023-2993

Summary

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute.

Affected Software

VendorProductVersion RangeStatus
LenovoSystem Management Module (SMM)variousaffected
LenovoFan Power Controller (FPC)variousaffected

Weaknesses

  • CWE-281: CWE-281 Improper Preservation of Permissions

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References