CVE-2021-3956Incorrect Authorization in Lenovo Xclarity Controller

CWE-863Incorrect Authorization3 documents3 sources
Severity
5.3MEDIUMNVD
CNA4.3
EPSS
0.2%
top 59.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Lenovo Xclarity Controller
Timeline
PublishedMay 18
Latest updateMay 19

Description

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDlenovo/xclarity_controller< 7.22_cdi382o+4
CVEListV5lenovo/xclarity_controllervarious Third Quarter 2021 releases

🔴Vulnerability Details

2
GHSA
GHSA-fjvh-mchr-664c: A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting2022-05-19
CVEList
CVE-2021-3956: A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting2022-05-18
CVE-2021-3956 — Incorrect Authorization in Lenovo | cvebase