Authorization Bypass in Lenovo XClarity Controller
CVE-2019-6195

4.8MEDIUM

Key Information:

Vendor: Lenovo
Status: Xclarity Controller (xcc)
Vendor: CVE Published:; 14 February 2020

Summary

An authorization bypass vulnerability in Lenovo XClarity Controller allows a valid authenticated user with lesser privileges access to higher-privileged information under specific conditions. If configured to use 'LDAP Authentication Only with Local Authorization,' a lower-privileged user can gain read-only access to sensitive data if they log in shortly after a higher-privileged user logs out. The issue does not manifest under other authentication configurations, highlighting the importance of proper mode selection to protect sensitive information.

Affected Version(s)

XClarity Controller (XCC) < 3.08 CDI340V

XClarity Controller (XCC) < 3.01 TEI392O

XClarity Controller (XCC) < 1.71 PSI328N

References

https://support.lenovo.com/us/en/product_security/LEN-29116

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2020
Vulnerability Reserved
Jan 11, 2019