CVE-2019-6173

A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges.

CVSS v3 6.7 MEDIUM
CVSS v2.0 6.9 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://support.lenovo.com/us/en/product_security/len-27431	Patch Vendor Advisory
https://support.lenovo.com/us/en/product_security/len-27431	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lenovo:installation_package:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:46

Type	Values Removed	Values Added
References	~~() https://support.lenovo.com/us/en/product_security/len-27431 - Patch, Vendor Advisory~~	() https://support.lenovo.com/us/en/product_security/len-27431 - Patch, Vendor Advisory
CVSS	v2 : ~~6.9~~ v3 : ~~6.5~~	v2 : 6.9 v3 : 6.7

Information

Published : 2020-06-09 20:15

Updated : 2024-11-21 04:46

NVD link : CVE-2019-6173

Mitre link : CVE-2019-6173

CVE.ORG link : CVE-2019-6173

JSON object : View

Products Affected

lenovo

installation_package

CWE

CWE-426

Untrusted Search Path

{"id": "CVE-2019-6173", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "psirt@lenovo.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.6}]}, "published": "2020-06-09T20:15:11.710", "references": [{"url": "https://support.lenovo.com/us/en/product_security/len-27431", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@lenovo.com"}, {"url": "https://support.lenovo.com/us/en/product_security/len-27431", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@lenovo.com", "description": [{"lang": "en", "value": "CWE-426"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-426"}]}], "descriptions": [{"lang": "en", "value": "A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges."}, {"lang": "es", "value": "Una vulnerabilidad de ruta de b\u00fasqueda de DLL podr\u00eda permitir una escalada de privilegios en algunos paquetes de instalaci\u00f3n de Lenovo, versiones anteriores a 1.2.9.3, durante la instalaci\u00f3n si un atacante ya posee privilegios administrativos"}], "lastModified": "2024-11-21T04:46:06.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:installation_package:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDFE5768-B111-4090-9680-013B931AD47E", "versionEndExcluding": "1.2.9.3"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@lenovo.com"}