Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-6161

An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs.

Published

2019-09-26T16:15:11.970

Last Modified

2024-11-21T04:46:03.423

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-384

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	lenovo	cp_storage_block_firmware	< 1908.m	Yes
Hardware	lenovo	cp_storage_block	-	No

References

https://support.lenovo.com/solutions/LEN-26957 Vendor Advisory ([email protected])
https://support.lenovo.com/solutions/LEN-26957 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)