Details of VAR-201811-0333

ID

VAR-201811-0333

CVE

CVE-2018-16093

TITLE

Vmware for LXCI Vulnerable to unlimited upload of dangerous types of files

Trust: 0.8

sources: JVNDB: JVNDB-2018-012836

DESCRIPTION

In versions prior to 5.5, LXCI for VMware allows an authenticated user to write to any system file due to insufficient sanitization during the upload of a backup file. Vmware for LXCI Contains a vulnerability related to unlimited uploads of dangerous types of files.Information may be tampered with. Lenovo XClarity Integrator is prone to multiple security vulnerabilities: 1. An arbitrary-file-download vulnerability 2. An arbitrary file-overwrite vulnerability Attackers can overwrite arbitrary files on an unsuspecting user's computer in the context of the vulnerable application or download arbitrary files from the device filesystem and obtain potentially sensitive information.. The following versions of Lenovo XClarity Integrator are vulnerable: Lenovo XClarity Integrator for VMware versions prior to 5.5 are vulnerable.Lenovo XClarity Integrator for Microsoft System Center versions prior to 3.5 are vulnerable. Lenovo XClarity Integrator (LXCI) for Vmware is an application for Vmware from China Lenovo (Lenovo). The program offers extended capabilities such as infrastructure resource management, automation and IT service management. The vulnerability stems from the fact that the program does not perform sufficient filtering when uploading backup files

Trust: 1.98

sources: NVD: CVE-2018-16093 // JVNDB: JVNDB-2018-012836 // BID: 107583 // VULHUB: VHN-126418

AFFECTED PRODUCTS

vendor:	lenovo	model:	xclarity integrator	scope:	lt	version:	5.5	Trust: 1.0
vendor:	lenovo	model:	xclarity integrator	scope:	lt	version:	for vmware 5.5	Trust: 0.8
vendor:	lenovo	model:	xclarity integrator for vmware vcenter	scope:	eq	version:	5.4	Trust: 0.3
vendor:	lenovo	model:	xclarity integrator for microsoft system center	scope:	eq	version:	3.4	Trust: 0.3
vendor:	lenovo	model:	xclarity integrator for vmware vcenter	scope:	ne	version:	5.5	Trust: 0.3
vendor:	lenovo	model:	xclarity integrator for microsoft system center	scope:	ne	version:	3.5	Trust: 0.3

sources: BID: 107583 // JVNDB: JVNDB-2018-012836 // NVD: CVE-2018-16093

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-16093
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-16093
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201812-012
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-126418
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-16093
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-126418
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-16093
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-126418 // JVNDB: JVNDB-2018-012836 // CNNVD: CNNVD-201812-012 // NVD: CVE-2018-16093

PROBLEMTYPE DATA

problemtype:

CWE-434

Trust: 1.9

sources: VULHUB: VHN-126418 // JVNDB: JVNDB-2018-012836 // NVD: CVE-2018-16093

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-012

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201812-012

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012836

PATCH

title:	LEN-23800	url:	https://support.lenovo.com/us/en/solutions/LEN-23800	Trust: 0.8
title:	Lenovo XClarity Integrator for Vmware Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=87348	Trust: 0.6

sources: JVNDB: JVNDB-2018-012836 // CNNVD: CNNVD-201812-012

EXTERNAL IDS

db:	NVD	id:	CVE-2018-16093	Trust: 2.8
db:	LENOVO	id:	LEN-23800	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-012836	Trust: 0.8
db:	CNNVD	id:	CNNVD-201812-012	Trust: 0.7
db:	BID	id:	107583	Trust: 0.3
db:	VULHUB	id:	VHN-126418	Trust: 0.1

sources: VULHUB: VHN-126418 // BID: 107583 // JVNDB: JVNDB-2018-012836 // CNNVD: CNNVD-201812-012 // NVD: CVE-2018-16093

REFERENCES

url:	https://support.lenovo.com/us/en/solutions/len-23800	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16093	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-16093	Trust: 0.8
url:	https://support.lenovo.com/in/en/solutions/lnvo-scvmadd	Trust: 0.3
url:	https://support.lenovo.com/in/en/solutions/lnvo-vmware	Trust: 0.3
url:	https://support.lenovo.com/in/en/solutions/len-23800	Trust: 0.3

sources: VULHUB: VHN-126418 // BID: 107583 // JVNDB: JVNDB-2018-012836 // CNNVD: CNNVD-201812-012 // NVD: CVE-2018-16093

CREDITS

Lenovo

Trust: 0.3

sources: BID: 107583

SOURCES

db:	VULHUB	id:	VHN-126418
db:	BID	id:	107583
db:	JVNDB	id:	JVNDB-2018-012836
db:	CNNVD	id:	CNNVD-201812-012
db:	NVD	id:	CVE-2018-16093

LAST UPDATE DATE

2024-11-23T22:12:13.867000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-126418	date:	2018-12-28T00:00:00
db:	BID	id:	107583	date:	2018-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2018-012836	date:	2019-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201812-012	date:	2018-12-03T00:00:00
db:	NVD	id:	CVE-2018-16093	date:	2024-11-21T03:52:05.580

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-126418	date:	2018-11-30T00:00:00
db:	BID	id:	107583	date:	2018-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2018-012836	date:	2019-02-08T00:00:00
db:	CNNVD	id:	CNNVD-201812-012	date:	2018-12-03T00:00:00
db:	NVD	id:	CVE-2018-16093	date:	2018-11-30T14:29:00.347