CVE-2019-6195
low-risk
Published 2020-02-14
An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.
Do I need to act?
-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Xclarity Controller
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-29116
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-29116
21
/ 100
low-risk
Severity
15/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal