Clear Text Password Storage in LXCO Product by Lenovo
CVE-2020-8356

4.9MEDIUM

Key Information:

Vendor: Lenovo
Status: Xclarity Orchestrator
Vendor: CVE Published:; 9 March 2021

What is CVE-2020-8356?

An internal audit of Lenovo's LXCO product revealed a security weakness where optional passwords for Syslog and SMTP forwarders, if provided, are recorded in an internal log file in plain text. This log data is captured within the First Failure Data Capture (FFDC) service log, which is only generated upon request from an authorized LXCO user. While access to these logs is restricted to the privileged user who requested them, storing sensitive information in clear text poses significant security risks, including potential exposure to unauthorized users.

Affected Version(s)

XClarity Orchestrator < 1.2.2

References

https://support.lenovo.com/us/en/product_security/LEN-49884

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2021
Vulnerability Reserved
Jan 28, 2020