CVE-2021-3473

CWE-319 — Cleartext Transmission CWE-312 — Cleartext Storage of Sensitive Info3 documents3 sources

Severity

4.9MEDIUM

EPSS

0.1%

top 72.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Xclarity Controller (xcc)Lenovo Xclarity Controller

Timeline

PublishedApr 13

Latest updateMay 24

Description

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5lenovo/xclarity_controller_(xcc)unspecified — 6.00 CDI370Q+4

▶NVDlenovo/xclarity_controller4 versions+3

🔴Vulnerability Details

GHSA

GHSA-jcrf-qjqf-vj89: An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to↗2022-05-24

▶

CVEList

CVE-2021-3473: An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to↗2021-04-13

▶