Command injection in Lenovo Service Framework - CVE-2017-3761
Published: October 18, 2017
Vulnerability identifier: #VU8860
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-3761
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Lenovo
Affected software:
Lenovo Service Framework
Lenovo Service Framework
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target device.
The weakness exists due to Lenovo Service Framework application executes some system commands without proper sanitization of external input. A remote attacker can inject commands and execute arbitrary code with elevated privileges.
The weakness exists due to Lenovo Service Framework application executes some system commands without proper sanitization of external input. A remote attacker can inject commands and execute arbitrary code with elevated privileges.
How to mitigate CVE-2017-3761
Update to version 4.8.0.2403.