CVE-2019-6195 : An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prio

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.

Published 2020-02-14 17:15:13

Updated 2020-03-04 18:26:15

Source Lenovo Group Ltd.

View at NVD, CVE.org

Products affected by CVE-2019-6195

Lenovo » Xclarity Controller
Versions before (<) 3.01_tei392o
cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Thinkagile Hx 1000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 2000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 3000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 5000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 7000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 1000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 2000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 3000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 5000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 7000 » Version: N/A
When used together with: Lenovo » Thinksystem Sd530 » Version: N/A
When used together with: Lenovo » Thinksystem Sd650 Dwc » Version: N/A
When used together with: Lenovo » Thinksystem Sn550 » Version: N/A
When used together with: Lenovo » Thinksystem Sn850 » Version: N/A
When used together with: Lenovo » Thinksystem Sr150 » Version: N/A
When used together with: Lenovo » Thinksystem Sr158 » Version: N/A
When used together with: Lenovo » Thinksystem Sr250 » Version: N/A
When used together with: Lenovo » Thinksystem Sr258 » Version: N/A
When used together with: Lenovo » Thinksystem Sr850 » Version: N/A
When used together with: Lenovo » Thinksystem Sr860 » Version: N/A
When used together with: Lenovo » Thinksystem St250 » Version: N/A
When used together with: Lenovo » Thinksystem St258 » Version: N/A
Lenovo » Xclarity Controller
Versions before (<) 1.71_psi328n
cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Thinksystem Sr950 Server » Version: N/A
Lenovo » Xclarity Controller
Versions before (<) 3.08_cdi340v
cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*
Matching versions
When used together with: Lenovo » Thinkagile Hx 1000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 2000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 3000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 5000 » Version: N/A
When used together with: Lenovo » Thinkagile Hx 7000 » Version: N/A
When used together with: Lenovo » Thinkagile Mx Sr650 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 1000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 2000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 3000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 5000 » Version: N/A
When used together with: Lenovo » Thinkagile Vx 7000 » Version: N/A
When used together with: Lenovo » Thinksystem Sr530 » Version: N/A
When used together with: Lenovo » Thinksystem Sr550 » Version: N/A
When used together with: Lenovo » Thinksystem Sr570 » Version: N/A
When used together with: Lenovo » Thinksystem Sr590 » Version: N/A
When used together with: Lenovo » Thinksystem Sr630 » Version: N/A
When used together with: Lenovo » Thinksystem Sr650 » Version: N/A
When used together with: Lenovo » Thinksystem St550 » Version: N/A
When used together with: Lenovo » Thinksystem St558 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2019-6195

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 36 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-6195

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:N/AC:H/Au:S/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N	1.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None
4.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N	1.2	3.6	Lenovo Group Ltd.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-6195

CWE-264

Assigned by: psirt@lenovo.com (Secondary)
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-6195

https://support.lenovo.com/us/en/product_security/LEN-29116

Lenovo XClarity Controller (XCC) Vulnerability - US
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-6195

Products affected by CVE-2019-6195

Exploit prediction scoring system (EPSS) score for CVE-2019-6195

CVSS scores for CVE-2019-6195

CWE ids for CVE-2019-6195

References for CVE-2019-6195