An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:NLenovo Xclarity Administrator
APPLenovo2.6.0
Related vulnerabilities
OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-related memory corruption issue which may man...
Log files generated by Lenovo XClarity Administrator (LXCA) versions earlier than 1.2.2 may contain user crede...
A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LX...
An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model...
A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through cr...