CVE-2019-6195

Name of the Vulnerable Software and Affected Versions Lenovo XClarity Controller versions prior to 3.08 CDI340V Lenovo XClarity Controller versions prior to 3.01 TEI392O Lenovo XClarity Controller versions prior to 1.71 PSI328N

Description An authorization bypass exists where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information under specific conditions. This occurs when "LDAP Authentication Only with Local Authorization" mode is configured and a lesser privileged user logs into the system within 1 minute of a higher privileged user logging out. The issue does not affect systems using "Local Authentication and Authorization" or "LDAP Authentication and Authorization" modes.

Recommendations For versions prior to 3.08 CDI340V, update to version 3.08 CDI340V or later. For versions prior to 3.01 TEI392O, update to version 3.01 TEI392O or later. For versions prior to 1.71 PSI328N, update to version 1.71 PSI328N or later. As a temporary workaround, consider configuring "Local Authentication and Authorization" or "LDAP Authentication and Authorization" modes to prevent the authorization bypass.