PT-2022-10923 · Lenovo · Lenovo Xclarity Controller

Published

2022-05-18

Updated

2022-06-06

CVE-2021-3956

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Lenovo XClarity Controller (XCC) firmware (affected versions not specified)

Description A read-only authentication bypass issue was reported in Lenovo XClarity Controller (XCC) firmware. This issue affects XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports unauthenticated bind, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, allowing the XCC device configuration to be viewed but not changed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2021-3956

Affected Products

Lenovo Xclarity Controller

PT-2022-10923 · Lenovo · Lenovo Xclarity Controller

CVE-2021-3956

Weakness Enumeration

Related Identifiers

Affected Products

References · 4