CVE-2019-6195
4.8
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Exploitability: 1.2 / Impact: 3.6
Source: NVD
Description
An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.
Affected (3)
Products: Lenovo: Xclarity Controller
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 3.01_tei392o |
| Running on/with | Platform Versions |
|---|---|
Lenovo Thinksystem Sd530 | All versions |
Lenovo Thinksystem Sd650 Dwc | All versions |
Lenovo Thinksystem Sn550 | All versions |
Lenovo Thinksystem Sn850 | All versions |
Lenovo Thinksystem Sr150 | All versions |
Lenovo Thinksystem Sr158 | All versions |
Lenovo Thinksystem Sr250 | All versions |
Lenovo Thinksystem Sr258 | All versions |
Lenovo Thinksystem Sr850 | All versions |
Lenovo Thinksystem Sr860 | All versions |
Lenovo Thinksystem St250 | All versions |
Lenovo Thinksystem St258 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Before 3.08_cdi340v |
| Running on/with | Platform Versions |
|---|---|
Lenovo Thinkagile Hx 1000 | All versions |
Lenovo Thinkagile Hx 2000 | All versions |
Lenovo Thinkagile Hx 3000 | All versions |
Lenovo Thinkagile Hx 5000 | All versions |
Lenovo Thinkagile Hx 7000 | All versions |
Lenovo Thinkagile Mx Sr650 | All versions |
Lenovo Thinkagile Vx 1000 | All versions |
Lenovo Thinkagile Vx 2000 | All versions |
Lenovo Thinkagile Vx 3000 | All versions |
Lenovo Thinkagile Vx 5000 | All versions |
Lenovo Thinkagile Vx 7000 | All versions |
Lenovo Thinksystem Sr530 | All versions |
Lenovo Thinksystem Sr550 | All versions |
Lenovo Thinksystem Sr570 | All versions |
Lenovo Thinksystem Sr590 | All versions |
Lenovo Thinksystem Sr630 | All versions |
Lenovo Thinksystem Sr650 | All versions |
Lenovo Thinksystem St550 | All versions |
Lenovo Thinksystem St558 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.71_psi328n |
| Running on/with | Platform Versions |
|---|---|
Lenovo Thinksystem Sr950 Server | All versions |
Related CWEs
References (2)
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.