CVE-2019-6161

Published: Sep 26, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs.

Affected (1)

Products: Lenovo: Cp Storage Block Firmware

1 product

Cp Storage Block Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo Cp Storage Block Firmware	Before 1908.m

Running on/with	Platform Versions
Lenovo Cp Storage Block	All versions

Related CWEs

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (2)

https://support.lenovo.com/solutions/LEN-26957

Source: psirt@lenovo.com

Vendor Advisory

https://support.lenovo.com/solutions/LEN-26957

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.