4.8
CVE-2019-6195
- EPSS 0.14%
- Published 14.02.2020 17:15:13
- Last modified 21.11.2024 04:46:09
- Source psirt@lenovo.com
- Teams watchlist Login
- Open Login
An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.
Data is provided by the National Vulnerability Database (NVD)
Lenovo ≫ Xclarity Controller Version < 3.01_tei392o
Lenovo ≫ Thinkagile Hx 1000 Version-
Lenovo ≫ Thinkagile Hx 2000 Version-
Lenovo ≫ Thinkagile Hx 3000 Version-
Lenovo ≫ Thinkagile Hx 5000 Version-
Lenovo ≫ Thinkagile Hx 7000 Version-
Lenovo ≫ Thinkagile Vx 1000 Version-
Lenovo ≫ Thinkagile Vx 2000 Version-
Lenovo ≫ Thinkagile Vx 3000 Version-
Lenovo ≫ Thinkagile Vx 5000 Version-
Lenovo ≫ Thinkagile Vx 7000 Version-
Lenovo ≫ Thinksystem Sd530 Version-
Lenovo ≫ Thinksystem Sd650 Dwc Version-
Lenovo ≫ Thinksystem Sn550 Version-
Lenovo ≫ Thinksystem Sn850 Version-
Lenovo ≫ Thinksystem Sr150 Version-
Lenovo ≫ Thinksystem Sr158 Version-
Lenovo ≫ Thinksystem Sr250 Version-
Lenovo ≫ Thinksystem Sr258 Version-
Lenovo ≫ Thinksystem Sr850 Version-
Lenovo ≫ Thinksystem Sr860 Version-
Lenovo ≫ Thinksystem St250 Version-
Lenovo ≫ Thinksystem St258 Version-
Lenovo ≫ Thinkagile Hx 2000 Version-
Lenovo ≫ Thinkagile Hx 3000 Version-
Lenovo ≫ Thinkagile Hx 5000 Version-
Lenovo ≫ Thinkagile Hx 7000 Version-
Lenovo ≫ Thinkagile Vx 1000 Version-
Lenovo ≫ Thinkagile Vx 2000 Version-
Lenovo ≫ Thinkagile Vx 3000 Version-
Lenovo ≫ Thinkagile Vx 5000 Version-
Lenovo ≫ Thinkagile Vx 7000 Version-
Lenovo ≫ Thinksystem Sd530 Version-
Lenovo ≫ Thinksystem Sd650 Dwc Version-
Lenovo ≫ Thinksystem Sn550 Version-
Lenovo ≫ Thinksystem Sn850 Version-
Lenovo ≫ Thinksystem Sr150 Version-
Lenovo ≫ Thinksystem Sr158 Version-
Lenovo ≫ Thinksystem Sr250 Version-
Lenovo ≫ Thinksystem Sr258 Version-
Lenovo ≫ Thinksystem Sr850 Version-
Lenovo ≫ Thinksystem Sr860 Version-
Lenovo ≫ Thinksystem St250 Version-
Lenovo ≫ Thinksystem St258 Version-
Lenovo ≫ Xclarity Controller Version < 3.08_cdi340v
Lenovo ≫ Thinkagile Hx 1000 Version-
Lenovo ≫ Thinkagile Hx 2000 Version-
Lenovo ≫ Thinkagile Hx 3000 Version-
Lenovo ≫ Thinkagile Hx 5000 Version-
Lenovo ≫ Thinkagile Hx 7000 Version-
Lenovo ≫ Thinkagile Mx Sr650 Version-
Lenovo ≫ Thinkagile Vx 1000 Version-
Lenovo ≫ Thinkagile Vx 2000 Version-
Lenovo ≫ Thinkagile Vx 3000 Version-
Lenovo ≫ Thinkagile Vx 5000 Version-
Lenovo ≫ Thinkagile Vx 7000 Version-
Lenovo ≫ Thinksystem Sr530 Version-
Lenovo ≫ Thinksystem Sr550 Version-
Lenovo ≫ Thinksystem Sr570 Version-
Lenovo ≫ Thinksystem Sr590 Version-
Lenovo ≫ Thinksystem Sr630 Version-
Lenovo ≫ Thinksystem Sr650 Version-
Lenovo ≫ Thinksystem St550 Version-
Lenovo ≫ Thinksystem St558 Version-
Lenovo ≫ Thinkagile Hx 2000 Version-
Lenovo ≫ Thinkagile Hx 3000 Version-
Lenovo ≫ Thinkagile Hx 5000 Version-
Lenovo ≫ Thinkagile Hx 7000 Version-
Lenovo ≫ Thinkagile Mx Sr650 Version-
Lenovo ≫ Thinkagile Vx 1000 Version-
Lenovo ≫ Thinkagile Vx 2000 Version-
Lenovo ≫ Thinkagile Vx 3000 Version-
Lenovo ≫ Thinkagile Vx 5000 Version-
Lenovo ≫ Thinkagile Vx 7000 Version-
Lenovo ≫ Thinksystem Sr530 Version-
Lenovo ≫ Thinksystem Sr550 Version-
Lenovo ≫ Thinksystem Sr570 Version-
Lenovo ≫ Thinksystem Sr590 Version-
Lenovo ≫ Thinksystem Sr630 Version-
Lenovo ≫ Thinksystem Sr650 Version-
Lenovo ≫ Thinksystem St550 Version-
Lenovo ≫ Thinksystem St558 Version-
Lenovo ≫ Xclarity Controller Version < 1.71_psi328n
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.353 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 2.1 | 3.9 | 2.9 |
AV:N/AC:H/Au:S/C:P/I:N/A:N
|
| psirt@lenovo.com | 4.8 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.