Search

Find a vulnerability

Search criteria

    112 vulnerabilities by Lenovo Group Ltd.

    CVE-2018-16098 (GCVE-0-2018-16098)

    Vulnerability from nvd – Published: 2019-01-24 22:00 – Updated: 2024-09-16 16:32
    VLAI
    Summary
    In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user.
    Severity
    No CVSS data available.
    CWE
    • Code execution
    Assigner
    References
    Impacted products
    Date Public
    2019-01-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:17:38.214Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24573"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Various ThinkPad products",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Various"
                }
              ]
            }
          ],
          "datePublic": "2019-01-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code execution",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-01-25T16:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24573"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2019-01-10T00:00:00",
              "ID": "CVE-2018-16098",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Various ThinkPad products",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code execution"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24573",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24573"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-16098",
        "datePublished": "2019-01-24T22:00:00.000Z",
        "dateReserved": "2018-08-29T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:32:37.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9066 (GCVE-0-2018-9066)

    Vulnerability from nvd – Published: 2018-07-30 15:00 – Updated: 2024-09-16 17:14
    VLAI
    Summary
    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.468Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo xClarity Administrator",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA\u0027s underlying operating system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-30T14:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9066",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo xClarity Administrator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 2.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA\u0027s underlying operating system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22168",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9066",
        "datePublished": "2018-07-30T15:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:14:32.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9065 (GCVE-0-2018-9065)

    Vulnerability from nvd – Published: 2018-07-30 15:00 – Updated: 2024-09-16 17:28
    VLAI
    Summary
    In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.362Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo xClarity Administrator",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-30T14:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9065",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo xClarity Administrator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 2.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22168",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9065",
        "datePublished": "2018-07-30T15:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:28:39.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9064 (GCVE-0-2018-9064)

    Vulnerability from nvd – Published: 2018-07-30 15:00 – Updated: 2024-09-16 19:04
    VLAI
    Summary
    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.368Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo xClarity Administrator",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-30T14:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9064",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo xClarity Administrator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 2.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22168",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9064",
        "datePublished": "2018-07-30T15:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:04:25.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9068 (GCVE-0-2018-9068)

    Vulnerability from nvd – Published: 2018-07-26 19:00 – Updated: 2024-09-17 03:38
    VLAI
    Summary
    The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.
    Severity
    No CVSS data available.
    CWE
    • Information disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. System x IMM2 Affected: firmware versions earlier than 4.90
    Create a notification for this product.
    IBM Corporation System x IMM2 Affected: firmware versions earlier than 6.80
    Create a notification for this product.
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.331Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-20227"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "System x IMM2",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware versions earlier than 4.90"
                }
              ]
            },
            {
              "product": "System x IMM2",
              "vendor": "IBM Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware versions earlier than 6.80"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-26T18:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-20227"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9068",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "System x IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "firmware versions earlier than 4.90"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "System x IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "firmware versions earlier than 6.80"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM Corporation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-20227",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-20227"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9068",
        "datePublished": "2018-07-26T19:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:38:52.294Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9062 (GCVE-0-2018-9062)

    Vulnerability from nvd – Published: 2018-07-19 19:00 – Updated: 2024-08-05 07:10
    VLAI
    Title
    BIOS Modules Unprotected by Intel Boot Guard Vulnerable to Physical Attack
    Summary
    In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code.
    Severity
    No CVSS data available.
    CWE
    • Elevation of privilege
    Assigner
    References
    Impacted products
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.415Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "105387",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/105387"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-20527"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "some Lenovo ThinkPads",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Elevation of privilege",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-26T09:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "name": "105387",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/105387"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-20527"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-20527",
            "discovery": "EXTERNAL"
          },
          "title": "BIOS Modules Unprotected by Intel Boot Guard Vulnerable to Physical Attack",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9062",
              "STATE": "PUBLIC",
              "TITLE": "BIOS Modules Unprotected by Intel Boot Guard Vulnerable to Physical Attack"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "some Lenovo ThinkPads",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Elevation of privilege"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "105387",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/105387"
                },
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-20527",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-20527"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-20527",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9062",
        "datePublished": "2018-07-19T19:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:10:47.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9070 (GCVE-0-2018-9070)

    Vulnerability from nvd – Published: 2018-07-13 16:00 – Updated: 2024-09-16 19:09
    VLAI
    Summary
    For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.
    Severity
    No CVSS data available.
    CWE
    • Root access of the device
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Lenovo Smart Assistant Affected: Earlier than 12.1.82
    Create a notification for this product.
    Date Public
    2018-07-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22172"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo Smart Assistant",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 12.1.82"
                }
              ]
            }
          ],
          "datePublic": "2018-07-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Root access of the device",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-13T15:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22172"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-13T00:00:00",
              "ID": "CVE-2018-9070",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo Smart Assistant",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 12.1.82"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Root access of the device"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22172",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22172"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9070",
        "datePublished": "2018-07-13T16:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:09:48.146Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9067 (GCVE-0-2018-9067)

    Vulnerability from nvd – Published: 2018-07-13 16:00 – Updated: 2024-09-17 02:07
    VLAI
    Summary
    The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI.
    Severity
    No CVSS data available.
    CWE
    • Exposure and modification of private app data
    Assigner
    References
    Impacted products
    Date Public
    2018-07-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-21561"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo Help Android application",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 6.1.2.0327"
                }
              ]
            }
          ],
          "datePublic": "2018-07-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Exposure and modification of private app data",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-13T15:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-21561"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-13T00:00:00",
              "ID": "CVE-2018-9067",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo Help Android application",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 6.1.2.0327"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Exposure and modification of private app data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-21561",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-21561"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9067",
        "datePublished": "2018-07-13T16:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:07:16.584Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9063 (GCVE-0-2018-9063)

    Vulnerability from nvd – Published: 2018-05-04 16:00 – Updated: 2024-09-16 20:12
    VLAI
    Summary
    MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.
    Severity
    No CVSS data available.
    CWE
    • Buffer overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Lenovo System Update Affected: Earlier than 5.07.0072
    Create a notification for this product.
    Date Public
    2018-05-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.364Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "104125",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104125"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo System Update",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 5.07.0072"
                }
              ]
            }
          ],
          "datePublic": "2018-05-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program\u0027s buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Buffer overflow",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-10T09:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "name": "104125",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104125"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-05-03T00:00:00",
              "ID": "CVE-2018-9063",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo System Update",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 5.07.0072"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program\u0027s buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Buffer overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "104125",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104125"
                },
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-19625",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9063",
        "datePublished": "2018-05-04T16:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:12:36.388Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3775 (GCVE-0-2017-3775)

    Vulnerability from nvd – Published: 2018-05-04 16:00 – Updated: 2024-09-16 23:56
    VLAI
    Summary
    Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.
    Severity
    No CVSS data available.
    CWE
    • Booting unauthenticated code
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Some Lenovo Flex System and Lenovo System x products Affected: Affected BIOS version varies by product
    Create a notification for this product.
    Date Public
    2018-05-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:39.687Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-20241"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Some Lenovo Flex System and Lenovo System x products",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Affected BIOS version varies by product"
                }
              ]
            }
          ],
          "datePublic": "2018-05-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Booting unauthenticated code",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-04T15:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-20241"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-05-03T00:00:00",
              "ID": "CVE-2017-3775",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Some Lenovo Flex System and Lenovo System x products",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Affected BIOS version varies by product"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Booting unauthenticated code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-20241",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-20241"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3775",
        "datePublished": "2018-05-04T16:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:56:19.792Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3776 (GCVE-0-2017-3776)

    Vulnerability from nvd – Published: 2018-04-19 14:00 – Updated: 2024-09-16 16:38
    VLAI
    Summary
    Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information.
    Severity
    No CVSS data available.
    CWE
    • Cleartext transmission of information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Help mobile Android app Affected: Earlier than 6.1.2.0327
    Create a notification for this product.
    Date Public
    2018-04-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:41.081Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-20475"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Help mobile Android app",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 6.1.2.0327"
                }
              ]
            }
          ],
          "datePublic": "2018-04-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cleartext transmission of information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-19T13:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-20475"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-04-17T00:00:00",
              "ID": "CVE-2017-3776",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Help mobile Android app",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 6.1.2.0327"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cleartext transmission of information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-20475",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-20475"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3776",
        "datePublished": "2018-04-19T14:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:38:02.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3774 (GCVE-0-2017-3774)

    Vulnerability from nvd – Published: 2018-04-19 14:00 – Updated: 2024-09-16 16:48
    VLAI
    Summary
    A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption.
    Severity
    No CVSS data available.
    CWE
    • Stack overflow leading to memory corruption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. IMM2 Affected: Earlier than 4.40
    Create a notification for this product.
    IBM IMM2 Affected: Earlier than 6.60
    Create a notification for this product.
    Date Public
    2018-04-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:40.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-19586"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "IMM2",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 4.40"
                }
              ]
            },
            {
              "product": "IMM2",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 6.60"
                }
              ]
            }
          ],
          "datePublic": "2018-04-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stack overflow leading to memory corruption",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-19T13:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-19586"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-04-12T00:00:00",
              "ID": "CVE-2017-3774",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 4.40"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 6.60"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stack overflow leading to memory corruption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-19586",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-19586"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3774",
        "datePublished": "2018-04-19T14:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:48:19.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3768 (GCVE-0-2017-3768)

    Vulnerability from nvd – Published: 2018-01-26 19:00 – Updated: 2024-09-16 22:02
    VLAI
    Summary
    An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease.
    Severity
    No CVSS data available.
    CWE
    • Denial of Service
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Integrated Management Module 2 (IMM2) Affected: Earlier than 4.4 for Lenovo System x
    Affected: Earlier than 6.4 for IBM System x
    Create a notification for this product.
    Date Public
    2018-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:41.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-14450"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Integrated Management Module 2 (IMM2)",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 4.4 for Lenovo System x"
                },
                {
                  "status": "affected",
                  "version": "Earlier than 6.4 for IBM System x"
                }
              ]
            }
          ],
          "datePublic": "2018-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial of Service",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-26T18:57:02.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-14450"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-01-25T00:00:00",
              "ID": "CVE-2017-3768",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Integrated Management Module 2 (IMM2)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 4.4 for Lenovo System x"
                              },
                              {
                                "version_value": "Earlier than 6.4 for IBM System x"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-14450",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-14450"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3768",
        "datePublished": "2018-01-26T19:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:02:02.189Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3762 (GCVE-0-2017-3762)

    Vulnerability from nvd – Published: 2018-01-26 01:00 – Updated: 2024-09-16 16:24
    VLAI
    Summary
    Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.
    Severity
    No CVSS data available.
    CWE
    • Privilege Escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:40.562Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "102837",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/102837"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/product_security/LEN-15999"
              },
              {
                "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/05/08/4"
              },
              {
                "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/05/08/3"
              },
              {
                "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/05/08/5"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo Fingerprint Manager Pro",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 8.01.87"
                }
              ]
            }
          ],
          "datePublic": "2018-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users\u0027 Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege Escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-08T14:06:18.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "name": "102837",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/102837"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/product_security/LEN-15999"
            },
            {
              "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/05/08/4"
            },
            {
              "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/05/08/3"
            },
            {
              "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/05/08/5"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-01-25T00:00:00",
              "ID": "CVE-2017-3762",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo Fingerprint Manager Pro",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 8.01.87"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users\u0027 Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege Escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "102837",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/102837"
                },
                {
                  "name": "https://support.lenovo.com/product_security/LEN-15999",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/product_security/LEN-15999"
                },
                {
                  "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/05/08/4"
                },
                {
                  "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/05/08/3"
                },
                {
                  "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/05/08/5"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3762",
        "datePublished": "2018-01-26T01:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:24:14.952Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3765 (GCVE-0-2017-3765)

    Vulnerability from nvd – Published: 2018-01-10 18:00 – Updated: 2024-09-17 01:10
    VLAI
    Summary
    In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as "HP Backdoor" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted.
    Severity
    No CVSS data available.
    CWE
    • Authentication Bypass
    Assigner
    References
    URL Tags
    https://support.lenovo.com/us/en/product_security… x_refsource_CONFIRM
    http://www.securitytracker.com/id/1040296 vdb-entryx_refsource_SECTRACK
    Date Public
    2018-01-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:41.059Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-16095"
              },
              {
                "name": "1040296",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1040296"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Enterprise Network Operating System affecting Lenovo and IBM RackSwitch and BladeCenter Products",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than"
                }
              ]
            }
          ],
          "datePublic": "2018-01-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as \"HP Backdoor\" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authentication Bypass",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-31T10:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-16095"
            },
            {
              "name": "1040296",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1040296"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-01-09T00:00:00",
              "ID": "CVE-2017-3765",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Enterprise Network Operating System affecting Lenovo and IBM RackSwitch and BladeCenter Products",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as \"HP Backdoor\" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authentication Bypass"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-16095",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-16095"
                },
                {
                  "name": "1040296",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1040296"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3765",
        "datePublished": "2018-01-10T18:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:10:39.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16098 (GCVE-0-2018-16098)

    Vulnerability from cvelistv5 – Published: 2019-01-24 22:00 – Updated: 2024-09-16 16:32
    VLAI
    Summary
    In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user.
    Severity
    No CVSS data available.
    CWE
    • Code execution
    Assigner
    References
    Impacted products
    Date Public
    2019-01-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:17:38.214Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-24573"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Various ThinkPad products",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Various"
                }
              ]
            }
          ],
          "datePublic": "2019-01-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Code execution",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-01-25T16:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-24573"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2019-01-10T00:00:00",
              "ID": "CVE-2018-16098",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Various ThinkPad products",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In some Lenovo ThinkPads, an unquoted search path vulnerability was found in various versions of the Synaptics Pointing Device driver which could allow unauthorized code execution as a low privilege user."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Code execution"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-24573",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-24573"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-16098",
        "datePublished": "2019-01-24T22:00:00.000Z",
        "dateReserved": "2018-08-29T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:32:37.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9066 (GCVE-0-2018-9066)

    Vulnerability from cvelistv5 – Published: 2018-07-30 15:00 – Updated: 2024-09-16 17:14
    VLAI
    Summary
    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA's underlying operating system.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.468Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo xClarity Administrator",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA\u0027s underlying operating system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-30T14:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9066",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo xClarity Administrator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 2.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstances, inject additional parameters into a specific web API call which can result in privileged command execution within LXCA\u0027s underlying operating system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22168",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9066",
        "datePublished": "2018-07-30T15:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:14:32.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9065 (GCVE-0-2018-9065)

    Vulnerability from cvelistv5 – Published: 2018-07-30 15:00 – Updated: 2024-09-16 17:28
    VLAI
    Summary
    In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.362Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo xClarity Administrator",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-30T14:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9065",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo xClarity Administrator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 2.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA instance, and potentially decrypt those credentials more easily than intended."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22168",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9065",
        "datePublished": "2018-07-30T15:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:28:39.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9064 (GCVE-0-2018-9064)

    Vulnerability from cvelistv5 – Published: 2018-07-30 15:00 – Updated: 2024-09-16 19:04
    VLAI
    Summary
    In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.368Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo xClarity Administrator",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-30T14:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9064",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo xClarity Administrator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 2.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call to retrieve the credentials for the System Manager user."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22168",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22168"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9064",
        "datePublished": "2018-07-30T15:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:04:25.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9068 (GCVE-0-2018-9068)

    Vulnerability from cvelistv5 – Published: 2018-07-26 19:00 – Updated: 2024-09-17 03:38
    VLAI
    Summary
    The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.
    Severity
    No CVSS data available.
    CWE
    • Information disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. System x IMM2 Affected: firmware versions earlier than 4.90
    Create a notification for this product.
    IBM Corporation System x IMM2 Affected: firmware versions earlier than 6.80
    Create a notification for this product.
    Date Public
    2018-07-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.331Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-20227"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "System x IMM2",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware versions earlier than 4.90"
                }
              ]
            },
            {
              "product": "System x IMM2",
              "vendor": "IBM Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmware versions earlier than 6.80"
                }
              ]
            }
          ],
          "datePublic": "2018-07-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-26T18:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-20227"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-26T00:00:00",
              "ID": "CVE-2018-9068",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "System x IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "firmware versions earlier than 4.90"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "System x IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "firmware versions earlier than 6.80"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM Corporation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-20227",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-20227"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9068",
        "datePublished": "2018-07-26T19:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:38:52.294Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9062 (GCVE-0-2018-9062)

    Vulnerability from cvelistv5 – Published: 2018-07-19 19:00 – Updated: 2024-08-05 07:10
    VLAI
    Title
    BIOS Modules Unprotected by Intel Boot Guard Vulnerable to Physical Attack
    Summary
    In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code.
    Severity
    No CVSS data available.
    CWE
    • Elevation of privilege
    Assigner
    References
    Impacted products
    Date Public
    2018-09-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.415Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "105387",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/105387"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-20527"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "some Lenovo ThinkPads",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "datePublic": "2018-09-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Elevation of privilege",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-09-26T09:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "name": "105387",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/105387"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-20527"
            }
          ],
          "source": {
            "advisory": "https://support.lenovo.com/us/en/solutions/LEN-20527",
            "discovery": "EXTERNAL"
          },
          "title": "BIOS Modules Unprotected by Intel Boot Guard Vulnerable to Physical Attack",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2018-9062",
              "STATE": "PUBLIC",
              "TITLE": "BIOS Modules Unprotected by Intel Boot Guard Vulnerable to Physical Attack"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "some Lenovo ThinkPads",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Elevation of privilege"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "105387",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/105387"
                },
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-20527",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-20527"
                }
              ]
            },
            "source": {
              "advisory": "https://support.lenovo.com/us/en/solutions/LEN-20527",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9062",
        "datePublished": "2018-07-19T19:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:10:47.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9070 (GCVE-0-2018-9070)

    Vulnerability from cvelistv5 – Published: 2018-07-13 16:00 – Updated: 2024-09-16 19:09
    VLAI
    Summary
    For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.
    Severity
    No CVSS data available.
    CWE
    • Root access of the device
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Lenovo Smart Assistant Affected: Earlier than 12.1.82
    Create a notification for this product.
    Date Public
    2018-07-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.627Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-22172"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo Smart Assistant",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 12.1.82"
                }
              ]
            }
          ],
          "datePublic": "2018-07-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Root access of the device",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-13T15:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-22172"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-13T00:00:00",
              "ID": "CVE-2018-9070",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo Smart Assistant",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 12.1.82"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Root access of the device"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-22172",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-22172"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9070",
        "datePublished": "2018-07-13T16:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:09:48.146Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9067 (GCVE-0-2018-9067)

    Vulnerability from cvelistv5 – Published: 2018-07-13 16:00 – Updated: 2024-09-17 02:07
    VLAI
    Summary
    The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI.
    Severity
    No CVSS data available.
    CWE
    • Exposure and modification of private app data
    Assigner
    References
    Impacted products
    Date Public
    2018-07-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:17:50.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-21561"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo Help Android application",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 6.1.2.0327"
                }
              ]
            }
          ],
          "datePublic": "2018-07-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Exposure and modification of private app data",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-13T15:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-21561"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-07-13T00:00:00",
              "ID": "CVE-2018-9067",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo Help Android application",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 6.1.2.0327"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Lenovo Help Android app versions earlier than 6.1.2.0327 had insufficient access control for some functions which, if exploited, could have led to exposure of approximately 400 email addresses and 8,500 IMEI."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Exposure and modification of private app data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-21561",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-21561"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9067",
        "datePublished": "2018-07-13T16:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:07:16.584Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-9063 (GCVE-0-2018-9063)

    Vulnerability from cvelistv5 – Published: 2018-05-04 16:00 – Updated: 2024-09-16 20:12
    VLAI
    Summary
    MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program's buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv.
    Severity
    No CVSS data available.
    CWE
    • Buffer overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Lenovo System Update Affected: Earlier than 5.07.0072
    Create a notification for this product.
    Date Public
    2018-05-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:10:47.364Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "104125",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/104125"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo System Update",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 5.07.0072"
                }
              ]
            }
          ],
          "datePublic": "2018-05-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program\u0027s buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Buffer overflow",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-10T09:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "name": "104125",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/104125"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-05-03T00:00:00",
              "ID": "CVE-2018-9063",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo System Update",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 5.07.0072"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "MapDrv (C:\\Program Files\\Lenovo\\System Update\\mapdrv.exe) In Lenovo System Update versions earlier than 5.07.0072 contains a local vulnerability where an attacker entering very large user ID or password can overrun the program\u0027s buffer, causing undefined behaviors, such as execution of arbitrary code. No additional privilege is granted to the attacker beyond what is already possessed to run MapDrv."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Buffer overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "104125",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/104125"
                },
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-19625",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-19625"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2018-9063",
        "datePublished": "2018-05-04T16:00:00.000Z",
        "dateReserved": "2018-03-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:12:36.388Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3775 (GCVE-0-2017-3775)

    Vulnerability from cvelistv5 – Published: 2018-05-04 16:00 – Updated: 2024-09-16 23:56
    VLAI
    Summary
    Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code.
    Severity
    No CVSS data available.
    CWE
    • Booting unauthenticated code
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Some Lenovo Flex System and Lenovo System x products Affected: Affected BIOS version varies by product
    Create a notification for this product.
    Date Public
    2018-05-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:39.687Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/solutions/LEN-20241"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Some Lenovo Flex System and Lenovo System x products",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Affected BIOS version varies by product"
                }
              ]
            }
          ],
          "datePublic": "2018-05-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Booting unauthenticated code",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-04T15:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/solutions/LEN-20241"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-05-03T00:00:00",
              "ID": "CVE-2017-3775",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Some Lenovo Flex System and Lenovo System x products",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Affected BIOS version varies by product"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Booting unauthenticated code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/solutions/LEN-20241",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/solutions/LEN-20241"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3775",
        "datePublished": "2018-05-04T16:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:56:19.792Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3774 (GCVE-0-2017-3774)

    Vulnerability from cvelistv5 – Published: 2018-04-19 14:00 – Updated: 2024-09-16 16:48
    VLAI
    Summary
    A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption.
    Severity
    No CVSS data available.
    CWE
    • Stack overflow leading to memory corruption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. IMM2 Affected: Earlier than 4.40
    Create a notification for this product.
    IBM IMM2 Affected: Earlier than 6.60
    Create a notification for this product.
    Date Public
    2018-04-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:40.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-19586"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "IMM2",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 4.40"
                }
              ]
            },
            {
              "product": "IMM2",
              "vendor": "IBM",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 6.60"
                }
              ]
            }
          ],
          "datePublic": "2018-04-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stack overflow leading to memory corruption",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-19T13:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-19586"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-04-12T00:00:00",
              "ID": "CVE-2017-3774",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 4.40"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  },
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "IMM2",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 6.60"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "IBM"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stack overflow leading to memory corruption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-19586",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-19586"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3774",
        "datePublished": "2018-04-19T14:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:48:19.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3776 (GCVE-0-2017-3776)

    Vulnerability from cvelistv5 – Published: 2018-04-19 14:00 – Updated: 2024-09-16 16:38
    VLAI
    Summary
    Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information.
    Severity
    No CVSS data available.
    CWE
    • Cleartext transmission of information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Help mobile Android app Affected: Earlier than 6.1.2.0327
    Create a notification for this product.
    Date Public
    2018-04-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:41.081Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-20475"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Help mobile Android app",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 6.1.2.0327"
                }
              ]
            }
          ],
          "datePublic": "2018-04-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cleartext transmission of information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-04-19T13:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-20475"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-04-17T00:00:00",
              "ID": "CVE-2017-3776",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Help mobile Android app",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 6.1.2.0327"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowed information to be transmitted over an HTTP channel, permitting others observing the channel to potentially see this information."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cleartext transmission of information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-20475",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-20475"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3776",
        "datePublished": "2018-04-19T14:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:38:02.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3768 (GCVE-0-2017-3768)

    Vulnerability from cvelistv5 – Published: 2018-01-26 19:00 – Updated: 2024-09-16 22:02
    VLAI
    Summary
    An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease.
    Severity
    No CVSS data available.
    CWE
    • Denial of Service
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo Group Ltd. Integrated Management Module 2 (IMM2) Affected: Earlier than 4.4 for Lenovo System x
    Affected: Earlier than 6.4 for IBM System x
    Create a notification for this product.
    Date Public
    2018-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:41.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-14450"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Integrated Management Module 2 (IMM2)",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 4.4 for Lenovo System x"
                },
                {
                  "status": "affected",
                  "version": "Earlier than 6.4 for IBM System x"
                }
              ]
            }
          ],
          "datePublic": "2018-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial of Service",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-26T18:57:02.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-14450"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-01-25T00:00:00",
              "ID": "CVE-2017-3768",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Integrated Management Module 2 (IMM2)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 4.4 for Lenovo System x"
                              },
                              {
                                "version_value": "Earlier than 6.4 for IBM System x"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-14450",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-14450"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3768",
        "datePublished": "2018-01-26T19:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:02:02.189Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3762 (GCVE-0-2017-3762)

    Vulnerability from cvelistv5 – Published: 2018-01-26 01:00 – Updated: 2024-09-16 16:24
    VLAI
    Summary
    Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed.
    Severity
    No CVSS data available.
    CWE
    • Privilege Escalation
    Assigner
    References
    Impacted products
    Date Public
    2018-01-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:40.562Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "102837",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/102837"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/product_security/LEN-15999"
              },
              {
                "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/05/08/4"
              },
              {
                "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/05/08/3"
              },
              {
                "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/05/08/5"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Lenovo Fingerprint Manager Pro",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than 8.01.87"
                }
              ]
            }
          ],
          "datePublic": "2018-01-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users\u0027 Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege Escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-08T14:06:18.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "name": "102837",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/102837"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/product_security/LEN-15999"
            },
            {
              "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/05/08/4"
            },
            {
              "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/05/08/3"
            },
            {
              "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/05/08/5"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-01-25T00:00:00",
              "ID": "CVE-2017-3762",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Lenovo Fingerprint Manager Pro",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than 8.01.87"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users\u0027 Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege Escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "102837",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/102837"
                },
                {
                  "name": "https://support.lenovo.com/product_security/LEN-15999",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/product_security/LEN-15999"
                },
                {
                  "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/05/08/4"
                },
                {
                  "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/05/08/3"
                },
                {
                  "name": "[oss-security] 20190508 Re: Re: fprintd: found storing user fingerprints without encryption",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/05/08/5"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3762",
        "datePublished": "2018-01-26T01:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:24:14.952Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-3765 (GCVE-0-2017-3765)

    Vulnerability from cvelistv5 – Published: 2018-01-10 18:00 – Updated: 2024-09-17 01:10
    VLAI
    Summary
    In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as "HP Backdoor" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted.
    Severity
    No CVSS data available.
    CWE
    • Authentication Bypass
    Assigner
    References
    URL Tags
    https://support.lenovo.com/us/en/product_security… x_refsource_CONFIRM
    http://www.securitytracker.com/id/1040296 vdb-entryx_refsource_SECTRACK
    Date Public
    2018-01-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:39:41.059Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-16095"
              },
              {
                "name": "1040296",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1040296"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Enterprise Network Operating System affecting Lenovo and IBM RackSwitch and BladeCenter Products",
              "vendor": "Lenovo Group Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Earlier than"
                }
              ]
            }
          ],
          "datePublic": "2018-01-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as \"HP Backdoor\" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authentication Bypass",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-31T10:57:01.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-16095"
            },
            {
              "name": "1040296",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1040296"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "DATE_PUBLIC": "2018-01-09T00:00:00",
              "ID": "CVE-2017-3765",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Enterprise Network Operating System affecting Lenovo and IBM RackSwitch and BladeCenter Products",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Earlier than"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo Group Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as \"HP Backdoor\" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authentication Bypass"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-16095",
                  "refsource": "CONFIRM",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-16095"
                },
                {
                  "name": "1040296",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1040296"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2017-3765",
        "datePublished": "2018-01-10T18:00:00.000Z",
        "dateReserved": "2016-12-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:10:39.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }