Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-3743

If multiple users are concurrently logged into a single system where one user is sending a command via the Lenovo ToolsCenter Advanced Settings Utility (ASU), UpdateXpress System Pack Installer (UXSPI) or Dynamic System Analysis (DSA) to a second machine, the other users may be able to see the user ID and clear text password that were used to access the second machine during the time the command is processing.

Published

2017-06-20T00:29:00.297

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lenovo	advanced_settings_utility	≤ 10.1	Yes
Application	lenovo	toolscenter_dynamic_system_analysis	≤ 10.2	Yes
Application	lenovo	updatexpress_system_pack_installer	≤ 10.2	Yes

References

https://support.lenovo.com/us/en/product_security/LEN-10810 Patch, Vendor Advisory ([email protected])
https://support.lenovo.com/us/en/product_security/LEN-10810 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)