CVE-2017-3745

CWE-287 — Improper Authentication3 documents3 sources

Severity

7.8HIGH

EPSS

0.1%

top 73.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Xclarity Administrator Lenovo Group Ltd. Xclarity Administrator

Timeline

PublishedJun 20

Latest updateMay 17

Description

In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDlenovo/xclarity_administrator1.2.2

▶CVEListV5lenovo_group_ltd./xclarity_administrator1.2.2

Patches

Patch: support.lenovo.com ↗Patch: support.lenovo.com ↗

🔴Vulnerability Details

GHSA

GHSA-h6cc-cf9q-cgxh: In Lenovo XClarity Administrator (LXCA) before 1↗2022-05-17

▶

CVEList

CVE-2017-3745: In Lenovo XClarity Administrator (LXCA) before 1↗2017-06-20

▶