Lucene search

LenovoCVE-2021-3956

HistoryMay 18, 2022 - 4:15 p.m.

CVE-2021-3956

2022-05-1816:15:08

CWE-863

lenovo

web.nvd.nist.gov

lenovo

xclarity

xcc

firmware

authentication bypass

vulnerability

ldap

active directory

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

31.9%

JSON

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Affected configurations

Nvd

Node

lenovothinkagile_hx1320Match-

lenovothinkagile_hx1321Match-

lenovothinkagile_hx1520-rMatch-

lenovothinkagile_hx1521-rMatch-

lenovothinkagile_hx2320-eMatch-

lenovothinkagile_hx2321Match-

lenovothinkagile_hx3320Match-

lenovothinkagile_hx3321Match-

lenovothinkagile_hx3375Match-

lenovothinkagile_hx3376Match-

lenovothinkagile_hx3520-gMatch-

lenovothinkagile_hx3521-gMatch-

lenovothinkagile_hx5520Match-

lenovothinkagile_hx5520-cMatch-

lenovothinkagile_hx5521Match-

lenovothinkagile_hx5521-cMatch-

lenovothinkagile_hx7520Match-

lenovothinkagile_hx7521Match-

lenovothinkagile_vx2320Match-

lenovothinkagile_vx3320Match-

lenovothinkagile_vx3520-gMatch-

lenovothinkagile_vx5520Match-

lenovothinkagile_vx7320_nMatch-

lenovothinkagile_vx7520Match-

lenovothinkagile_vx7520_nMatch-

lenovothinkstation_p920Match-

lenovothinksystem_sr530Match-

lenovothinksystem_sr550Match-

lenovothinksystem_sr570Match-

lenovothinksystem_sr590Match-

lenovothinksystem_sr630Match-

lenovothinksystem_sr645Match-

lenovothinksystem_sr650Match-

lenovothinksystem_sr665Match-

lenovothinksystem_st550Match-

AND

lenovoxclarity_controllerRange<7.22_cdi382o

Node

lenovothinkagile_hx7820Match-

lenovothinkagile_hx7821Match-

lenovothinksystem_sr950Match-

AND

lenovoxclarity_controllerRange<2.32_psi342n

Node

lenovothinkagile_mx1021Match-

lenovothinksystem_se350Match-

AND

lenovoxclarity_controllerRange<3.41_tei382m

Node

lenovothinksystem_sd650Match-

lenovothinksystem_sn550Match-

lenovothinksystem_sn850Match-

lenovothinksystem_sr850Match-

lenovothinksystem_sr860Match-

AND

lenovoxclarity_controllerRange<4.83_tei3c0n

Node

lenovothinksystem_sr850Match2.0

lenovothinksystem_sr860Match2.0

AND

lenovoxclarity_controllerRange<1.51_tgbt24l

VendorProductVersionCPE
lenovothinkagile_hx1320-cpe:2.3:h:lenovo:thinkagile_hx1320:-:*:*:*:*:*:*:*
lenovothinkagile_hx1321-cpe:2.3:h:lenovo:thinkagile_hx1321:-:*:*:*:*:*:*:*
lenovothinkagile_hx1520-r-cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:*:*:*:*:*:*:*
lenovothinkagile_hx1521-r-cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:*:*:*:*:*:*:*
lenovothinkagile_hx2320-e-cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:*:*:*:*:*:*:*
lenovothinkagile_hx2321-cpe:2.3:h:lenovo:thinkagile_hx2321:-:*:*:*:*:*:*:*
lenovothinkagile_hx3320-cpe:2.3:h:lenovo:thinkagile_hx3320:-:*:*:*:*:*:*:*
lenovothinkagile_hx3321-cpe:2.3:h:lenovo:thinkagile_hx3321:-:*:*:*:*:*:*:*
lenovothinkagile_hx3375-cpe:2.3:h:lenovo:thinkagile_hx3375:-:*:*:*:*:*:*:*
lenovothinkagile_hx3376-cpe:2.3:h:lenovo:thinkagile_hx3376:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lenovo	thinkagile_hx1320	-	cpe:2.3:h:lenovo:thinkagile_hx1320:-:::::::*
lenovo	thinkagile_hx1321	-	cpe:2.3:h:lenovo:thinkagile_hx1321:-:::::::*
lenovo	thinkagile_hx1520-r	-	cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:::::::*
lenovo	thinkagile_hx1521-r	-	cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:::::::*
lenovo	thinkagile_hx2320-e	-	cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:::::::*
lenovo	thinkagile_hx2321	-	cpe:2.3:h:lenovo:thinkagile_hx2321:-:::::::*
lenovo	thinkagile_hx3320	-	cpe:2.3:h:lenovo:thinkagile_hx3320:-:::::::*
lenovo	thinkagile_hx3321	-	cpe:2.3:h:lenovo:thinkagile_hx3321:-:::::::*
lenovo	thinkagile_hx3375	-	cpe:2.3:h:lenovo:thinkagile_hx3375:-:::::::*
lenovo	thinkagile_hx3376	-	cpe:2.3:h:lenovo:thinkagile_hx3376:-:::::::*

Rows per page:

1-10 of 481

CNA Affected

[
  {
    "product": "XClarity Controller (XCC)",
    "vendor": "Lenovo",
    "versions": [
      {
        "status": "affected",
        "version": "various Third Quarter 2021 releases"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-72074

Social References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

31.9%

JSON

Related for CVE-2021-3956