CVE-2019-6195 — MEDIUM (4.8)

Q: How severe is CVE-2019-6195?

CVE-2019-6195 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-6195?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Xclarity Controller, Lenovo Thinkagile Hx 1000, Lenovo Thinkagile Hx 2000, Lenovo Thinkagile Hx 3000, Lenovo Thinkagile Hx 5000.

Vulnerability Description

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.

CVSS Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Lenovo	Xclarity Controller	< 3.01_tei392o
Lenovo	Thinkagile Hx 1000	-
Lenovo	Thinkagile Hx 2000	-
Lenovo	Thinkagile Hx 3000	-
Lenovo	Thinkagile Hx 5000	-
Lenovo	Thinkagile Hx 7000	-
Lenovo	Thinkagile Vx 1000	-
Lenovo	Thinkagile Vx 2000	-
Lenovo	Thinkagile Vx 3000	-
Lenovo	Thinkagile Vx 5000	-
Lenovo	Thinkagile Vx 7000	-
Lenovo	Thinksystem Sd530	-
Lenovo	Thinksystem Sd650 Dwc	-
Lenovo	Thinksystem Sn550	-
Lenovo	Thinksystem Sn850	-
Lenovo	Thinksystem Sr150	-
Lenovo	Thinksystem Sr158	-
Lenovo	Thinksystem Sr250	-
Lenovo	Thinksystem Sr258	-
Lenovo	Thinksystem Sr850	-

Related Weaknesses (CWE)

CWE-269 CWE-264

References

https://support.lenovo.com/us/en/product_security/LEN-29116Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-29116Vendor Advisory

FAQ

What is CVE-2019-6195?

CVE-2019-6195 is a vulnerability with a CVSS score of 4.8 (MEDIUM). An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted rea...

How severe is CVE-2019-6195?

CVE-2019-6195 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-6195?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Xclarity Controller, Lenovo Thinkagile Hx 1000, Lenovo Thinkagile Hx 2000, Lenovo Thinkagile Hx 3000, Lenovo Thinkagile Hx 5000.