Description
The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM.
References (6)
Core 6
Core References
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/30379
Various Sources x_refsource_misc
http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/29366
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/492579
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/42638
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1020112
Scores
EPSS
0.0072
EPSS Percentile
72.7%
Details
CWE
CWE-255
Status
published
Products (2)
lenovo/thinkvantage_system_update
3.13
lenovo/thinkvantage_system_update
< 3.13.0005
Published
Jul 21, 2008
Tracked Since
Feb 18, 2026