CVE-2017-3745

In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.

Published : 2017-06-20 00:29 Updated : 2017-06-30 17:10

2.1

CVSS Score More info

Score 2.1 / 10

Access vector LOCAL

A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account. Examples of locally exploitable vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege escalations (e.g., sudo).

Access complexity LOW

Specialized access conditions or extenuating circumstances do not exist. The following are examples:

The affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (e.g., Internet-facing web or mail server).
The affected configuration is default or ubiquitous.
The attack can be performed manually and requires little skill or additional information gathering.
The race condition is a lazy one (i.e., it is technically a race but easily winnable).

Authentication NONE

Authentication is not required to exploit the vulnerability.

Confidentiality impact PARTIAL

There is considerable informational disclosure. Access to some system files is possible, but the attacker does not have control over what is obtained, or the scope of the loss is constrained. An example is a vulnerability that divulges only certain tables in a database.

Integrity impact NONE

There is no impact to the integrity of the system.

Availability impact NONE

There is no impact to the availability of the system.

CPE (1)
Tree view

Vendor	Product	Version	URI
Lenovo	Xclarity Administrator	1.2.2	cpe:/a:lenovo:xclarity_administrator:1.2.2

Lenovo (1) Search CVE
1. Xclarity Administrator (1) Search CVE
  1. 1.2.2

CWE

ID	Name	Description	Links
CWE-287	Improper Authentication	When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.		CVE