ID

VAR-202002-0371


CVE

CVE-2019-6195


TITLE

Lenovo XClarity Controller Vulnerability related to authority management in

Trust: 0.8

sources: JVNDB: JVNDB-2019-014747

DESCRIPTION

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC. Lenovo XClarity Controller (XCC) Exists in a privilege management vulnerability.Information may be obtained. It is mainly used to standardize and automate basic server management tasks. Vulnerabilities in the permissions and access control issues exist in Lenovo XCC versions prior to 3.08 CDI340V, versions prior to 3.01 TEI392O, and versions prior to 1.71 PSI328N. The vulnerability stems from the lack of effective permissions and access control measures for network systems or products. No detailed vulnerability details are provided at this time

Trust: 2.16

sources: NVD: CVE-2019-6195 // JVNDB: JVNDB-2019-014747 // CNVD: CNVD-2020-13498

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-13498

AFFECTED PRODUCTS

vendor:lenovomodel:xclarity controllerscope:ltversion:1.71_psi328n

Trust: 1.0

vendor:lenovomodel:xclarity controllerscope:ltversion:3.01_tei392o

Trust: 1.0

vendor:lenovomodel:xclarity controllerscope:ltversion:3.08_cdi340v

Trust: 1.0

vendor:lenovomodel:xclarity controllerscope:eqversion:1.71 psi328n

Trust: 0.8

vendor:lenovomodel:xclarity controllerscope:eqversion:3.01 tei392o

Trust: 0.8

vendor:lenovomodel:xclarity controllerscope:eqversion:3.08 cdi340v

Trust: 0.8

vendor:lenovomodel:xclarity controller cdi340vscope:ltversion:3.08

Trust: 0.6

vendor:lenovomodel:xclarity controller tei392oscope:ltversion:3.01

Trust: 0.6

vendor:lenovomodel:xclarity controller psi328nscope:ltversion:1.71

Trust: 0.6

sources: CNVD: CNVD-2020-13498 // JVNDB: JVNDB-2019-014747 // NVD: CVE-2019-6195

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6195
value: MEDIUM

Trust: 1.0

psirt@lenovo.com: CVE-2019-6195
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2019-014747
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-13498
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202002-483
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-6195
severity: LOW
baseScore: 2.1
vectorString: AV:N/AC:H/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-014747
severity: LOW
baseScore: 2.1
vectorString: AV:N/AC:H/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-13498
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:H/AU:S/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-6195
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: JVNDB-2019-014747
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-13498 // JVNDB: JVNDB-2019-014747 // CNNVD: CNNVD-202002-483 // NVD: CVE-2019-6195 // NVD: CVE-2019-6195

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.8

problemtype:CWE-264

Trust: 1.0

sources: JVNDB: JVNDB-2019-014747 // NVD: CVE-2019-6195

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-483

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202002-483

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014747

PATCH

title:LEN-29116url:https://support.lenovo.com/us/en/product_security/LEN-29116

Trust: 0.8

title:Patch for Lenovo XClarity Controller Rights Licensing and Access Control Issue Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/204799

Trust: 0.6

title:Lenovo XClarity Controller Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109590

Trust: 0.6

sources: CNVD: CNVD-2020-13498 // JVNDB: JVNDB-2019-014747 // CNNVD: CNNVD-202002-483

EXTERNAL IDS

db:NVDid:CVE-2019-6195

Trust: 3.0

db:LENOVOid:LEN-29116

Trust: 1.6

db:JVNDBid:JVNDB-2019-014747

Trust: 0.8

db:CNVDid:CNVD-2020-13498

Trust: 0.6

db:CNNVDid:CNNVD-202002-483

Trust: 0.6

sources: CNVD: CNVD-2020-13498 // JVNDB: JVNDB-2019-014747 // CNNVD: CNNVD-202002-483 // NVD: CVE-2019-6195

REFERENCES

url:https://support.lenovo.com/us/en/product_security/len-29116

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-6195

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6195

Trust: 0.8

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-firmware-supporting-products-shipped-with-ibm-clouf-pak-system/

Trust: 0.6

sources: CNVD: CNVD-2020-13498 // JVNDB: JVNDB-2019-014747 // CNNVD: CNNVD-202002-483 // NVD: CVE-2019-6195

SOURCES

db:CNVDid:CNVD-2020-13498
db:JVNDBid:JVNDB-2019-014747
db:CNNVDid:CNNVD-202002-483
db:NVDid:CVE-2019-6195

LAST UPDATE DATE

2024-08-14T15:02:01.060000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-13498date:2020-02-26T00:00:00
db:JVNDBid:JVNDB-2019-014747date:2020-03-13T00:00:00
db:CNNVDid:CNNVD-202002-483date:2020-12-02T00:00:00
db:NVDid:CVE-2019-6195date:2020-03-04T18:26:14.687

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-13498date:2020-02-26T00:00:00
db:JVNDBid:JVNDB-2019-014747date:2020-03-13T00:00:00
db:CNNVDid:CNNVD-202002-483date:2020-02-11T00:00:00
db:NVDid:CVE-2019-6195date:2020-02-14T17:15:13.223