cve-2017-3745
Vulnerability from cvelistv5
Published
2017-06-20 00:00
Modified
2024-08-05 14:39
Severity ?
Summary
In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.
References
psirt@lenovo.comhttps://support.lenovo.com/us/en/product_security/LEN-13671Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.lenovo.com/us/en/product_security/LEN-13671Patch, Vendor Advisory
Impacted products
Vendor Product Version
Lenovo Group Ltd. XClarity Administrator Version: 1.2.2
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:39:41.321Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.lenovo.com/us/en/product_security/LEN-13671"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "XClarity Administrator",
          "vendor": "Lenovo Group Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "1.2.2"
            }
          ]
        }
      ],
      "datePublic": "2017-06-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA\u0027s internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Disclosure of credentials to a non-administrative user",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-06-19T23:57:01",
        "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "shortName": "lenovo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.lenovo.com/us/en/product_security/LEN-13671"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@lenovo.com",
          "ID": "CVE-2017-3745",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "XClarity Administrator",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.2.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Lenovo Group Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA\u0027s internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Disclosure of credentials to a non-administrative user"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.lenovo.com/us/en/product_security/LEN-13671",
              "refsource": "CONFIRM",
              "url": "https://support.lenovo.com/us/en/product_security/LEN-13671"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
    "assignerShortName": "lenovo",
    "cveId": "CVE-2017-3745",
    "datePublished": "2017-06-20T00:00:00",
    "dateReserved": "2016-12-16T00:00:00",
    "dateUpdated": "2024-08-05T14:39:41.321Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lenovo:xclarity_administrator:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.2.2\", \"matchCriteriaId\": \"3749C239-F50B-483B-865F-6828A7AFEC14\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA\u0027s internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.\"}, {\"lang\": \"es\", \"value\": \"En Lenovo XClarity Administrator (LXCA) en versiones anteriores a la 1.3.0, si se descargan datos del servicio desde LXCA, un usuario no administrativo podr\\u00eda obtener acceso a informaci\\u00f3n de contrase\\u00f1as de usuarios que se han autenticado previamente en el servidor LDAP interno de LXCA, incluyendo las cuentas administrativas y las cuentas de servicio con privilegios administrativos. Esto solo es un problema para los usuarios que han empleado la autenticaci\\u00f3n local con LXCA y no la autenticaci\\u00f3n remota contra servidores LDAP o ADFS externos.\"}]",
      "id": "CVE-2017-3745",
      "lastModified": "2024-11-21T03:26:03.330",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": true, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-06-20T00:29:00.360",
      "references": "[{\"url\": \"https://support.lenovo.com/us/en/product_security/LEN-13671\", \"source\": \"psirt@lenovo.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://support.lenovo.com/us/en/product_security/LEN-13671\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "psirt@lenovo.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-3745\",\"sourceIdentifier\":\"psirt@lenovo.com\",\"published\":\"2017-06-20T00:29:00.360\",\"lastModified\":\"2024-11-21T03:26:03.330\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA\u0027s internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.\"},{\"lang\":\"es\",\"value\":\"En Lenovo XClarity Administrator (LXCA) en versiones anteriores a la 1.3.0, si se descargan datos del servicio desde LXCA, un usuario no administrativo podr\u00eda obtener acceso a informaci\u00f3n de contrase\u00f1as de usuarios que se han autenticado previamente en el servidor LDAP interno de LXCA, incluyendo las cuentas administrativas y las cuentas de servicio con privilegios administrativos. Esto solo es un problema para los usuarios que han empleado la autenticaci\u00f3n local con LXCA y no la autenticaci\u00f3n remota contra servidores LDAP o ADFS externos.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lenovo:xclarity_administrator:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.2.2\",\"matchCriteriaId\":\"3749C239-F50B-483B-865F-6828A7AFEC14\"}]}]}],\"references\":[{\"url\":\"https://support.lenovo.com/us/en/product_security/LEN-13671\",\"source\":\"psirt@lenovo.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://support.lenovo.com/us/en/product_security/LEN-13671\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.