CVE-2008-3249

medium

Description

The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/42638

http://www.securityfocus.com/bid/29366

http://www.securityfocus.com/archive/1/492579

http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt

http://securitytracker.com/id?1020112

http://secunia.com/advisories/30379

Details

Source: Mitre, NVD

Published: 2008-07-21

Updated: 2017-08-08

Risk Information

CVSS v2

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: Medium