1. Home
  2. CVE Database
  3. CVE-2021-3956
MEDIUM · 4.3

CVE-2021-3956

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only...

Vulnerability Description

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
LenovoXclarity Controller< 7.22_cdi382o
LenovoThinkagile Hx1320-
LenovoThinkagile Hx1321-
LenovoThinkagile Hx1520-R-
LenovoThinkagile Hx1521-R-
LenovoThinkagile Hx2320-E-
LenovoThinkagile Hx2321-
LenovoThinkagile Hx3320-
LenovoThinkagile Hx3321-
LenovoThinkagile Hx3375-
LenovoThinkagile Hx3376-
LenovoThinkagile Hx3520-G-
LenovoThinkagile Hx3521-G-
LenovoThinkagile Hx5520-
LenovoThinkagile Hx5520-C-
LenovoThinkagile Hx5521-
LenovoThinkagile Hx5521-C-
LenovoThinkagile Hx7520-
LenovoThinkagile Hx7521-
LenovoThinkagile Vx2320-

Related Weaknesses (CWE)

CWE-863

References

FAQ

What is CVE-2021-3956?

CVE-2021-3956 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only...

How severe is CVE-2021-3956?

CVE-2021-3956 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3956?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Xclarity Controller, Lenovo Thinkagile Hx1320, Lenovo Thinkagile Hx1321, Lenovo Thinkagile Hx1520-R, Lenovo Thinkagile Hx1521-R.