CVE-2018-9086

Summary

CVE	CVE-2018-9086
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-11-16 14:29:00 UTC
Updated	2020-08-24 17:37:00 UTC
Description	In some Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users.

Risk And Classification

Problem Types: CWE-78

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Lenovo	Thinkserver Rd340	-	All	All	All
Hardware	Lenovo	Thinkserver Rd340	-	All	All	All
Operating System	Lenovo	Thinkserver Rd340 Firmware	All	All	All	All
Operating System	Lenovo	Thinkserver Rd340 Firmware	All	All	All	All
Hardware	Lenovo	Thinkserver Rd440	-	All	All	All
Hardware	Lenovo	Thinkserver Rd440	-	All	All	All
Operating System	Lenovo	Thinkserver Rd440 Firmware	All	All	All	All
Operating System	Lenovo	Thinkserver Rd440 Firmware	All	All	All	All
Hardware	Lenovo	Thinkserver Rd640	-	All	All	All
Hardware	Lenovo	Thinkserver Rd640	-	All	All	All
Operating System	Lenovo	Thinkserver Rd640 Firmware	All	All	All	All
Operating System	Lenovo	Thinkserver Rd640 Firmware	All	All	All	All
Hardware	Lenovo	Thinkserver Td340	-	All	All	All
Hardware	Lenovo	Thinkserver Td340	-	All	All	All
Operating System	Lenovo	Thinkserver Td340 Firmware	All	All	All	All
Operating System	Lenovo	Thinkserver Td340 Firmware	All	All	All	All

References

Reference	Source	Link	Tags
Legacy Server BMC Remote Command Injection - Lenovo Support US	CONFIRM	support.lenovo.com	Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.