CVE-2024-38510

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.2HIGH

EPSS

0.5%

top 33.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Xclarity Controller

Timeline

PublishedJul 26

Description

A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5lenovo/xclarity_controllervarious

🔴Vulnerability Details

CVEList

CVE-2024-38510: A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevate↗2024-07-26

▶

GHSA

GHSA-9p3q-q3jf-q5p4: A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevate↗2024-07-26

▶