Symbolic Link Vulnerability in Lenovo Installation Packages
CVE-2019-6196

6.7MEDIUM

Key Information:

Vendor: Lenovo
Status: Installation Packages
Vendor: CVE Published:; 9 June 2020

Summary

A symbolic link vulnerability exists in certain Lenovo installation packages, allowing unauthorized privileged file operations during the extraction and installation processes. This risk surfaces in versions before 1.2.9.3, posing a potential threat to system integrity and confidentiality. Users are encouraged to update to the latest version to mitigate this risk and enhance security.

Affected Version(s)

Installation Packages < 1.2.9.3

References

https://support.lenovo.com/us/en/product_security/len-27431

x_refsource_MISC

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2020
Vulnerability Reserved
Jan 11, 2019

Credit

Lenovo thanks Eran Shimony at CyberArk Labs for reporting this issue