medium
4.8
CWE
269 264
Advisory Published
Updated

CVE-2019-6195

First published: Fri Feb 14 2020(Updated: )

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.

Credit: psirt@lenovo.com

Affected SoftwareAffected VersionHow to fix
Lenovo XClarity Controller<3.01_tei392o
Lenovo Thinkagile Hx 1000
Lenovo Thinkagile Hx 2000
Lenovo Thinkagile Hx 3000
Lenovo Thinkagile Hx 5000
Lenovo Thinkagile Hx 7000
Lenovo Thinkagile Vx 1000
Lenovo Thinkagile Vx 2000
Lenovo Thinkagile Vx 3000
Lenovo Thinkagile Vx 5000
Lenovo Thinkagile Vx 7000
Lenovo Thinksystem Sd530
Lenovo Thinksystem Sd650 Dwc
Lenovo Thinksystem Sn550
Lenovo Thinksystem Sn850
Lenovo Thinksystem Sr150
Lenovo Thinksystem Sr158
Lenovo Thinksystem Sr250
Lenovo Thinksystem Sr258
Lenovo Thinksystem Sr850
Lenovo Thinksystem Sr860
Lenovo Thinksystem St250
Lenovo Thinksystem St258
Lenovo XClarity Controller<3.08_cdi340v
Lenovo Thinkagile Mx Sr650
Lenovo Thinksystem Sr530
Lenovo Thinksystem Sr550
Lenovo Thinksystem Sr570
Lenovo Thinksystem Sr590
Lenovo Thinksystem Sr630
Lenovo Thinksystem Sr650
Lenovo Thinksystem St550
Lenovo Thinksystem St558
Lenovo XClarity Controller<1.71_psi328n
Lenovo Thinksystem Sr950 Server

Remedy

Update to Lenovo XClarity Controller (XCC) version 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N or higher.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2019-6195?

    The severity of CVE-2019-6195 is medium, with a severity value of 4.8.

  • How can I fix CVE-2019-6195?

    To fix CVE-2019-6195, update Lenovo XClarity Controller (XCC) to version 3.08 CDI340V or later.

  • Which versions of Lenovo XClarity Controller are affected by CVE-2019-6195?

    Lenovo XClarity Controller versions prior to 3.08 CDI340V, 3.01 TEI392O, and 1.71 PSI328N are affected by CVE-2019-6195.

  • What is the CWE number for CVE-2019-6195?

    The CWE number for CVE-2019-6195 is CWE-269 and CWE-264.

  • Where can I find more information about CVE-2019-6195?

    You can find more information about CVE-2019-6195 on the Lenovo product security website.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203