Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-3745

In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.

Published

2017-06-20T00:29:00.360

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

3.9

Impact Score

2.9

Weaknesses

Type: Primary
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lenovo	xclarity_administrator	≤ 1.2.2	Yes

References

https://support.lenovo.com/us/en/product_security/LEN-13671 Patch, Vendor Advisory ([email protected])
https://support.lenovo.com/us/en/product_security/LEN-13671 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)