CVE-2019-6195

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.

Se presenta una omisión de autorización en Lenovo XClarity Controller (XCC) versiones anteriores a 3.08 CDI340V, versión 3.01 TEI392O, versión 1.71 PSI328N, donde un usuario autenticado válido con privilegios menores puede tener acceso de solo de lectura a información con privilegios superiores si 1) "LDAP Authentication Only with Local Authorization” es configurado y utilizado por XCC, y 2) un usuario con menos privilegios inicia sesión en XCC dentro de 1 minuto después de que un usuario con mayor privilegio cierre sesión. La omisión de autorización no se presenta cuando los modos “Local Authentication and Authorization” o “LDAP Authentication and Authorization” son configurados y utilizados por XCC.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-01-11 CVE Reserved
2020-02-14 CVE Published
2023-03-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls
CWE-269: Improper Privilege Management

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://support.lenovo.com/us/en/product_security/LEN-29116	2020-03-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 1000 Search vendor "Lenovo" for product "Thinkagile Hx 1000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 2000 Search vendor "Lenovo" for product "Thinkagile Hx 2000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 3000 Search vendor "Lenovo" for product "Thinkagile Hx 3000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 5000 Search vendor "Lenovo" for product "Thinkagile Hx 5000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 7000 Search vendor "Lenovo" for product "Thinkagile Hx 7000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 1000 Search vendor "Lenovo" for product "Thinkagile Vx 1000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 2000 Search vendor "Lenovo" for product "Thinkagile Vx 2000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 3000 Search vendor "Lenovo" for product "Thinkagile Vx 3000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 5000 Search vendor "Lenovo" for product "Thinkagile Vx 5000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 7000 Search vendor "Lenovo" for product "Thinkagile Vx 7000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sd530 Search vendor "Lenovo" for product "Thinksystem Sd530"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sd650 Dwc Search vendor "Lenovo" for product "Thinksystem Sd650 Dwc"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sn550 Search vendor "Lenovo" for product "Thinksystem Sn550"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sn850 Search vendor "Lenovo" for product "Thinksystem Sn850"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr150 Search vendor "Lenovo" for product "Thinksystem Sr150"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr158 Search vendor "Lenovo" for product "Thinksystem Sr158"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr250 Search vendor "Lenovo" for product "Thinksystem Sr250"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr258 Search vendor "Lenovo" for product "Thinksystem Sr258"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr850 Search vendor "Lenovo" for product "Thinksystem Sr850"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr860 Search vendor "Lenovo" for product "Thinksystem Sr860"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem St250 Search vendor "Lenovo" for product "Thinksystem St250"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.01_tei392o Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.01_tei392o"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem St258 Search vendor "Lenovo" for product "Thinksystem St258"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 1000 Search vendor "Lenovo" for product "Thinkagile Hx 1000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 2000 Search vendor "Lenovo" for product "Thinkagile Hx 2000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 3000 Search vendor "Lenovo" for product "Thinkagile Hx 3000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 5000 Search vendor "Lenovo" for product "Thinkagile Hx 5000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Hx 7000 Search vendor "Lenovo" for product "Thinkagile Hx 7000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Mx Sr650 Search vendor "Lenovo" for product "Thinkagile Mx Sr650"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 1000 Search vendor "Lenovo" for product "Thinkagile Vx 1000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 2000 Search vendor "Lenovo" for product "Thinkagile Vx 2000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 3000 Search vendor "Lenovo" for product "Thinkagile Vx 3000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 5000 Search vendor "Lenovo" for product "Thinkagile Vx 5000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinkagile Vx 7000 Search vendor "Lenovo" for product "Thinkagile Vx 7000"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr530 Search vendor "Lenovo" for product "Thinksystem Sr530"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr550 Search vendor "Lenovo" for product "Thinksystem Sr550"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr570 Search vendor "Lenovo" for product "Thinksystem Sr570"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr590 Search vendor "Lenovo" for product "Thinksystem Sr590"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr630 Search vendor "Lenovo" for product "Thinksystem Sr630"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr650 Search vendor "Lenovo" for product "Thinksystem Sr650"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem St550 Search vendor "Lenovo" for product "Thinksystem St550"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 3.08_cdi340v Search vendor "Lenovo" for product "Xclarity Controller" and version " < 3.08_cdi340v"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem St558 Search vendor "Lenovo" for product "Thinksystem St558"	-	-	Safe
Lenovo Search vendor "Lenovo"	Xclarity Controller Search vendor "Lenovo" for product "Xclarity Controller"	< 1.71_psi328n Search vendor "Lenovo" for product "Xclarity Controller" and version " < 1.71_psi328n"	-	Affected	in	Lenovo Search vendor "Lenovo"	Thinksystem Sr950 Server Search vendor "Lenovo" for product "Thinksystem Sr950 Server"	-	-	Safe