CVE-2018-9082 - OpenCVE

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	Storcenter Px4-300d Firmware Px4-300d Px12-400r Firmware Px12-450r Firmware Px6-300d Firmware Storcenter Ix4-300d Storcenter Px2-300d Px4-400r Px6-300d Ez Media \& Backup Center Px12-400r Px4-400d Firmware Px4-300r Firmware Storcenter Px4-300r Storcenter Ix2-dl Firmware Storcenter Px4-300r Firmware Storcenter Ix4-300d Firmware Ez Media \& Backup Center Firmware Storcenter Px12-400r Px12-450r Storcenter Ix2-dl Storcenter Px12-400r Firmware Ix2 Storcenter Px2-300d Firmware Ix4-300d Firmware Storcenter Ix2 Px4-300d Firmware Px4-300r Px2-300d Ix4-300d Storcenter Px12-450r Firmware Px4-400r Firmware Ix2 Firmware Px4-400d Storcenter Px12-450r Storcenter Ix2 Firmware Storcenter Px6-300d Firmware Storcenter Px4-300d Storcenter Px6-300d Px2-300d Firmware

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:storcenter_px12-450r_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_px12-450r:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lenovo:storcenter_px12-400r_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_px12-400r:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:lenovo:storcenter_px4-300r_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_px4-300r:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:lenovo:storcenter_px6-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_px6-300d:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:lenovo:storcenter_px4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_px4-300d:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:lenovo:storcenter_px2-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_px2-300d:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:lenovo:storcenter_ix4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_ix4-300d:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:lenovo:storcenter_ix2_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_ix2:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:lenovo:storcenter_ix2-dl_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:storcenter_ix2-dl:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:lenovo:ez_media_\&_backup_center_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:ez_media_\&_backup_center:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:lenovo:px12-450r_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px12-450r:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:lenovo:px12-400r_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px12-400r:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:lenovo:px4-400r_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px4-400r:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:lenovo:px4-300r_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px4-300r:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:lenovo:px6-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px6-300d:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:lenovo:px4-400d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px4-400d:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:lenovo:px4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px4-300d:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:lenovo:px2-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:px2-300d:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:lenovo:ix4-300d_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:ix4-300d:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND

cpe:2.3:o:lenovo:ix2_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:ix2:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND

cpe:2.3:o:lenovo:ez_media_\&_backup_center_firmware:4.1.402.34662:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:ez_media_\&_backup_center:-:*:*:*:*:*:*:*

References

Link	Resource
https://support.lenovo.com/us/en/solutions/LEN-24224	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2018-09-28T20:00:00

Updated: 2018-09-28T19:57:01

Reserved: 2018-03-27T00:00:00

Link: CVE-2018-9082

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-09-28T20:29:01.563

Modified: 2019-01-07T19:38:09.680

Link: CVE-2018-9082

JSON object: View

Redhat Information

No data.

CWE

CWE-384