Lucene search

LenovoCVE-2019-6195

HistoryFeb 14, 2020 - 5:15 p.m.

CVE-2019-6195

2020-02-1417:15:13

CWE-269

CWE-264

lenovo

web.nvd.nist.gov

cve-2019-6195

authorization bypass

lenovo xclarity controller

xcc

information security

vulnerability

CVSS2

2.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:S/C:P/I:N/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

26.4%

JSON

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.

Affected configurations

Nvd

Node

lenovoxclarity_controllerRange<3.01_tei392o

AND

lenovothinkagile_hx_1000Match-

lenovothinkagile_hx_2000Match-

lenovothinkagile_hx_3000Match-

lenovothinkagile_hx_5000Match-

lenovothinkagile_hx_7000Match-

lenovothinkagile_vx_1000Match-

lenovothinkagile_vx_2000Match-

lenovothinkagile_vx_3000Match-

lenovothinkagile_vx_5000Match-

lenovothinkagile_vx_7000Match-

lenovothinksystem_sd530Match-

lenovothinksystem_sd650_dwcMatch-

lenovothinksystem_sn550Match-

lenovothinksystem_sn850Match-

lenovothinksystem_sr150Match-

lenovothinksystem_sr158Match-

lenovothinksystem_sr250Match-

lenovothinksystem_sr258Match-

lenovothinksystem_sr850Match-

lenovothinksystem_sr860Match-

lenovothinksystem_st250Match-

lenovothinksystem_st258Match-

Node

lenovoxclarity_controllerRange<3.08_cdi340v

AND

lenovothinkagile_hx_1000Match-

lenovothinkagile_hx_2000Match-

lenovothinkagile_hx_3000Match-

lenovothinkagile_hx_5000Match-

lenovothinkagile_hx_7000Match-

lenovothinkagile_mx_sr650Match-

lenovothinkagile_vx_1000Match-

lenovothinkagile_vx_2000Match-

lenovothinkagile_vx_3000Match-

lenovothinkagile_vx_5000Match-

lenovothinkagile_vx_7000Match-

lenovothinksystem_sr530Match-

lenovothinksystem_sr550Match-

lenovothinksystem_sr570Match-

lenovothinksystem_sr590Match-

lenovothinksystem_sr630Match-

lenovothinksystem_sr650Match-

lenovothinksystem_st550Match-

lenovothinksystem_st558Match-

Node

lenovoxclarity_controllerRange<1.71_psi328n

AND

lenovothinksystem_sr950_serverMatch-

VendorProductVersionCPE
lenovoxclarity_controller*cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*
lenovothinkagile_hx_1000-cpe:2.3:h:lenovo:thinkagile_hx_1000:-:*:*:*:*:*:*:*
lenovothinkagile_hx_2000-cpe:2.3:h:lenovo:thinkagile_hx_2000:-:*:*:*:*:*:*:*
lenovothinkagile_hx_3000-cpe:2.3:h:lenovo:thinkagile_hx_3000:-:*:*:*:*:*:*:*
lenovothinkagile_hx_5000-cpe:2.3:h:lenovo:thinkagile_hx_5000:-:*:*:*:*:*:*:*
lenovothinkagile_hx_7000-cpe:2.3:h:lenovo:thinkagile_hx_7000:-:*:*:*:*:*:*:*
lenovothinkagile_vx_1000-cpe:2.3:h:lenovo:thinkagile_vx_1000:-:*:*:*:*:*:*:*
lenovothinkagile_vx_2000-cpe:2.3:h:lenovo:thinkagile_vx_2000:-:*:*:*:*:*:*:*
lenovothinkagile_vx_3000-cpe:2.3:h:lenovo:thinkagile_vx_3000:-:*:*:*:*:*:*:*
lenovothinkagile_vx_5000-cpe:2.3:h:lenovo:thinkagile_vx_5000:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lenovo	xclarity_controller	*	cpe:2.3:a:lenovo:xclarity_controller::::::::
lenovo	thinkagile_hx_1000	-	cpe:2.3:h:lenovo:thinkagile_hx_1000:-:::::::*
lenovo	thinkagile_hx_2000	-	cpe:2.3:h:lenovo:thinkagile_hx_2000:-:::::::*
lenovo	thinkagile_hx_3000	-	cpe:2.3:h:lenovo:thinkagile_hx_3000:-:::::::*
lenovo	thinkagile_hx_5000	-	cpe:2.3:h:lenovo:thinkagile_hx_5000:-:::::::*
lenovo	thinkagile_hx_7000	-	cpe:2.3:h:lenovo:thinkagile_hx_7000:-:::::::*
lenovo	thinkagile_vx_1000	-	cpe:2.3:h:lenovo:thinkagile_vx_1000:-:::::::*
lenovo	thinkagile_vx_2000	-	cpe:2.3:h:lenovo:thinkagile_vx_2000:-:::::::*
lenovo	thinkagile_vx_3000	-	cpe:2.3:h:lenovo:thinkagile_vx_3000:-:::::::*
lenovo	thinkagile_vx_5000	-	cpe:2.3:h:lenovo:thinkagile_vx_5000:-:::::::*

Rows per page:

1-10 of 331

CNA Affected

[
  {
    "product": "XClarity Controller (XCC)",
    "vendor": "Lenovo",
    "versions": [
      {
        "lessThan": "3.08 CDI340V",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "3.01 TEI392O",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "1.71 PSI328N",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-29116

CVSS2

2.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:S/C:P/I:N/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

26.4%

JSON

Related for CVE-2019-6195