CVE-2017-3743

Published: Jun 20, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

If multiple users are concurrently logged into a single system where one user is sending a command via the Lenovo ToolsCenter Advanced Settings Utility (ASU), UpdateXpress System Pack Installer (UXSPI) or Dynamic System Analysis (DSA) to a second machine, the other users may be able to see the user ID and clear text password that were used to access the second machine during the time the command is processing.

Affected (3)

Products: Lenovo: Advanced Settings Utility, Toolscenter Dynamic System Analysis, Updatexpress System Pack Installer

3 products

Advanced Settings Utility

Toolscenter Dynamic System Analysis

Updatexpress System Pack Installer

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Lenovo Advanced Settings Utility	Up to 10.1
Lenovo Toolscenter Dynamic System Analysis	Up to 10.2
Lenovo Updatexpress System Pack Installer	Up to 10.2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://support.lenovo.com/us/en/product_security/LEN-10810

Source: psirt@lenovo.com

PatchVendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-10810

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.