CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
26.4%
An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.
Vendor | Product | Version | CPE |
---|---|---|---|
lenovo | xclarity_controller | * | cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:* |
lenovo | thinkagile_hx_1000 | - | cpe:2.3:h:lenovo:thinkagile_hx_1000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_hx_2000 | - | cpe:2.3:h:lenovo:thinkagile_hx_2000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_hx_3000 | - | cpe:2.3:h:lenovo:thinkagile_hx_3000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_hx_5000 | - | cpe:2.3:h:lenovo:thinkagile_hx_5000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_hx_7000 | - | cpe:2.3:h:lenovo:thinkagile_hx_7000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_vx_1000 | - | cpe:2.3:h:lenovo:thinkagile_vx_1000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_vx_2000 | - | cpe:2.3:h:lenovo:thinkagile_vx_2000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_vx_3000 | - | cpe:2.3:h:lenovo:thinkagile_vx_3000:-:*:*:*:*:*:*:* |
lenovo | thinkagile_vx_5000 | - | cpe:2.3:h:lenovo:thinkagile_vx_5000:-:*:*:*:*:*:*:* |
[
{
"product": "XClarity Controller (XCC)",
"vendor": "Lenovo",
"versions": [
{
"lessThan": "3.08 CDI340V",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "3.01 TEI392O",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "1.71 PSI328N",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
26.4%