CVE-2018-16089

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.5HIGH

EPSS

1.2%

top 21.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Thinksystem SMM Lenovo System Management Module Firmware

Timeline

PublishedNov 27

Latest updateMay 13

Description

In System Management Module (SMM) versions prior to 1.06, a field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDlenovo/system_management_module_firmware< 1.06

▶CVEListV5lenovo/thinksystem_smmunspecified — 1.06

🔴Vulnerability Details

GHSA

GHSA-c33r-r827-v785: In System Management Module (SMM) versions prior to 1↗2022-05-13

▶

CVEList

System Management Module Vulnerabilities↗2018-11-27

▶