CVE-2019-19756 — HIGH (7.9)

Vulnerability Description

An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.

CVSS Score

7.9

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Lenovo	Xclarity Administrator	2.6.0

Related Weaknesses (CWE)

CWE-532

References

https://support.lenovo.com/us/en/product_security/LEN-29942Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-29942Vendor Advisory

FAQ

What is CVE-2019-19756?

CVE-2019-19756 is a vulnerability with a CVSS score of 7.9 (HIGH). An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear te...

How severe is CVE-2019-19756?

CVE-2019-19756 has been rated HIGH with a CVSS base score of 7.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-19756?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Xclarity Administrator.