Privilege Escalation Vulnerability in SSH Captive Command Shell Interface
CVE-2024-38510

7.2HIGH

Key Information:

Vendor: Lenovo
Status: Xclarity Controller
Vendor: CVE Published:; 26 July 2024

Summary

A vulnerability has been identified in Lenovo's SSH captive command shell interface, enabling privilege escalation for authenticated XCC users with elevated privileges. It allows for the execution of command injection attacks through the upload of specially crafted files. This security flaw poses significant risks, as attackers can exploit it to gain unauthorized access to sensitive system functionalities and execute arbitrary commands, compromising the integrity and security of affected environments.

Affected Version(s)

XClarity Controller various

References

https://support.lenovo.com/us/en/product_security/LEN-156781

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 26, 2024