CVE-2019-19756

An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.

CVSS v3 7.9 HIGH
CVSS v2.0 3.6 LOW

7.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

3.6^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 3.9 / Impact : 4.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-29942	Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-29942	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lenovo:xclarity_administrator:2.6.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:35

Type	Values Removed	Values Added
References	~~() https://support.lenovo.com/us/en/product_security/LEN-29942 - Vendor Advisory~~	() https://support.lenovo.com/us/en/product_security/LEN-29942 - Vendor Advisory
CVSS	v2 : ~~3.6~~ v3 : ~~6.0~~	v2 : 3.6 v3 : 7.9

Information

Published : 2020-03-13 16:15

Updated : 2024-11-21 04:35

NVD link : CVE-2019-19756

Mitre link : CVE-2019-19756

CVE.ORG link : CVE-2019-19756

JSON object : View

Products Affected

lenovo

xclarity_administrator

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2019-19756", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "psirt@lenovo.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.8}]}, "published": "2020-03-13T16:15:11.970", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-29942", "tags": ["Vendor Advisory"], "source": "psirt@lenovo.com"}, {"url": "https://support.lenovo.com/us/en/product_security/LEN-29942", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@lenovo.com", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA."}, {"lang": "es", "value": "Una auditor\u00eda interna de seguridad del producto de Lenovo XClarity Administrator (LXCA), detect\u00f3 que las credenciales del Sistema Operativo Windows, usadas para realizar actualizaciones de los controladores de sistemas administrados, han sido escritos en un archivo de registro en texto sin cifrar. Esto s\u00f3lo afecta a LXCA versi\u00f3n 2.6.0 cuando se realiza una actualizaci\u00f3n del controlador de Windows. Los registros afectados s\u00f3lo son accesibles para los usuarios autorizados en el registro de servicio de First Failure Data Capture (FFDC) y los archivos de registro en LXCA."}], "lastModified": "2024-11-21T04:35:19.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_administrator:2.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACE528D5-BE85-490C-AADF-658B51637E6A"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@lenovo.com"}