CVE-2021-3956 - Vulnerability Details - OpenCVE

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00183.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Lenovo

XClarity Controller (XCC)

affected

Version	Status	Constraints
`various Third Quarter 2021 releases`	affected	—

Configuration 1 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_hx1320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3375:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3376:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx2320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:::::::*
	cpe:2.3:h:lenovo:thinkstation_p920:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr530:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr570:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr590:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr630:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr645:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr665:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_st550:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_hx7820:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7821:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr950:-:::::::*

Configuration 3 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_mx1021:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_se350:-:::::::*

Configuration 4 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sd650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr860:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sr850:2.0:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr860:2.0:::::::*

No data.

No data.

Project Subscriptions

Vendors	Products
Lenovo Subscribe	Thinkagile Hx1320 Subscribe Thinkagile Hx1321 Subscribe Thinkagile Hx1520-r Subscribe Thinkagile Hx1521-r Subscribe Thinkagile Hx2320-e Subscribe Thinkagile Hx2321 Subscribe Thinkagile Hx3320 Subscribe Thinkagile Hx3321 Subscribe Thinkagile Hx3375 Subscribe Thinkagile Hx3376 Subscribe Thinkagile Hx3520-g Subscribe Thinkagile Hx3521-g Subscribe Thinkagile Hx5520 Subscribe Thinkagile Hx5520-c Subscribe Thinkagile Hx5521 Subscribe Thinkagile Hx5521-c Subscribe Thinkagile Hx7520 Subscribe Thinkagile Hx7521 Subscribe Thinkagile Hx7820 Subscribe Thinkagile Hx7821 Subscribe Thinkagile Mx1021 Subscribe Thinkagile Vx2320 Subscribe Thinkagile Vx3320 Subscribe Thinkagile Vx3520-g Subscribe Thinkagile Vx5520 Subscribe Thinkagile Vx7320 N Subscribe Thinkagile Vx7520 Subscribe Thinkagile Vx7520 N Subscribe Thinkstation P920 Subscribe Thinksystem Sd650 Subscribe Thinksystem Se350 Subscribe Thinksystem Sn550 Subscribe Thinksystem Sn850 Subscribe Thinksystem Sr530 Subscribe Thinksystem Sr550 Subscribe Thinksystem Sr570 Subscribe Thinksystem Sr590 Subscribe Thinksystem Sr630 Subscribe Thinksystem Sr645 Subscribe Thinksystem Sr650 Subscribe Thinksystem Sr665 Subscribe Thinksystem Sr850 Subscribe Thinksystem Sr860 Subscribe Thinksystem Sr950 Subscribe Thinksystem St550 Subscribe Xclarity Controller Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2021-27165	A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Fixes

Solution

Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://support.lenovo.com/us/en/product_security/LEN-72074

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2022-05-18T16:10:24

Updated: 2024-08-03T17:09:09.619Z

Reserved: 2021-11-12T00:00:00

Link: CVE-2021-3956

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-05-18T16:15:08.063

Modified: 2024-11-21T06:23:13.527

Link: CVE-2021-3956

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-863

{"containers": {"cna": {"affected": [{"product": "XClarity Controller (XCC)", "vendor": "Lenovo", "versions": [{"status": "affected", "version": "various Third Quarter 2021 releases"}]}], "descriptions": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T16:10:24", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}], "solutions": [{"lang": "en", "value": "Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074."}], "source": {"advisory": "LEN-72074", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "ID": "CVE-2021-3956", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "XClarity Controller (XCC)", "version": {"version_data": [{"version_affected": "=", "version_value": "various Third Quarter 2021 releases"}]}}]}, "vendor_name": "Lenovo"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863 Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://support.lenovo.com/us/en/product_security/LEN-72074", "refsource": "MISC", "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}]}, "solution": [{"lang": "en", "value": "Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074."}], "source": {"advisory": "LEN-72074", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:09.619Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}]}]}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2021-3956", "datePublished": "2022-05-18T16:10:24", "dateReserved": "2021-11-12T00:00:00", "dateUpdated": "2024-08-03T17:09:09.619Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "1749A9CB-1719-4CC8-8476-D06D99BB2A2F", "versionEndExcluding": "7.22_cdi382o", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1320:-:*:*:*:*:*:*:*", "matchCriteriaId": "E72B2526-8BD9-49FD-BDCF-B654BCEAC8AE", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1321:-:*:*:*:*:*:*:*", "matchCriteriaId": "ADFD8C5A-D9E0-4EFF-92A3-17A6DBE7D155", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:*:*:*:*:*:*:*", "matchCriteriaId": "648DD614-F500-4FFB-8FD4-D2B284FE5E55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:*:*:*:*:*:*:*", "matchCriteriaId": "D33A804F-C94C-4A6C-AA84-957834680652", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:*:*:*:*:*:*:*", "matchCriteriaId": "DECFCE59-8456-47A3-8A8E-989813E37674", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2321:-:*:*:*:*:*:*:*", "matchCriteriaId": "A5E515C4-D2F2-4A71-9A9C-70A80477352A", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3320:-:*:*:*:*:*:*:*", "matchCriteriaId": "03D3EBE9-34C1-45CA-A800-B313110409DC", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3321:-:*:*:*:*:*:*:*", "matchCriteriaId": "86E6A2F7-7EC0-46E1-A973-2172B076E883", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3375:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8126219-A07C-42A6-9553-B6AE499DB6BF", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3376:-:*:*:*:*:*:*:*", "matchCriteriaId": "57D7A545-BE29-4F0B-AC77-8E6DE955CA5B", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "B9D354C3-0183-42D9-97D0-C9888B023195", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E0DDCC8-46B7-43FA-8A4A-BCE8AB7F8480", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A9FDCC0-F45C-4AA1-BB11-0761A25BF16B", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:*:*:*:*:*:*:*", "matchCriteriaId": "4EB95DEC-D622-4AD7-AC69-077A94BD752C", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521:-:*:*:*:*:*:*:*", "matchCriteriaId": "924C1B4B-6E97-4942-8000-BB59860913EE", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:*:*:*:*:*:*:*", "matchCriteriaId": "5788FFBD-69B4-4FB6-A2D2-4C6BA6CCE769", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7520:-:*:*:*:*:*:*:*", "matchCriteriaId": "16776C5F-CCAF-4F22-B570-FE49A0B73FF7", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7521:-:*:*:*:*:*:*:*", "matchCriteriaId": "F350D6FE-7BE1-46C9-B1A6-4EE0AF8BCB55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx2320:-:*:*:*:*:*:*:*", "matchCriteriaId": "BF7500A0-B95E-4E16-B532-28C139C94AF3", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3320:-:*:*:*:*:*:*:*", "matchCriteriaId": "4A8B3E93-970D-4B49-B5A6-6BFAC45BAAC4", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "72422C47-0027-4B4E-9C82-78FE8A8A6D75", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx5520:-:*:*:*:*:*:*:*", "matchCriteriaId": "704A1043-7626-412C-8666-9088B3AA1147", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:*:*:*:*:*:*:*", "matchCriteriaId": "435794D6-7773-4D93-96E2-7269EB863A04", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520:-:*:*:*:*:*:*:*", "matchCriteriaId": "E25483F5-F222-42AF-ACA4-580CD2965C55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C923CF1-EB97-431F-9D85-0CB5C921A040", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkstation_p920:-:*:*:*:*:*:*:*", "matchCriteriaId": "D47FCAA7-B33F-4F00-85BA-AA8ED4790572", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr530:-:*:*:*:*:*:*:*", "matchCriteriaId": "F4C6628A-8A99-4841-A7C5-0445A03C638D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr550:-:*:*:*:*:*:*:*", "matchCriteriaId": "D10850BF-A7EA-4B84-B2EF-66DCCC301514", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr570:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A7C5BE3-5429-46B0-B0B5-C86A9B6376A7", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr590:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3DC615C-A88A-4C45-892F-77C5E84104E8", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr630:-:*:*:*:*:*:*:*", "matchCriteriaId": "D7F10C8D-C9C7-4FAD-980D-7A602C8BE81D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr645:-:*:*:*:*:*:*:*", "matchCriteriaId": "DE27586B-1CC9-42A3-B763-93972E204A6D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr650:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6C2B5BB-6E1F-4E01-AAE8-A8239AB8945E", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr665:-:*:*:*:*:*:*:*", "matchCriteriaId": "1AE69184-CA94-4A27-AFF2-3B1B81D25CBA", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_st550:-:*:*:*:*:*:*:*", "matchCriteriaId": "A5B19107-5B45-4E45-8B34-90B5A1FF3962", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "6975F7A6-DBC8-42D4-B067-E397FD978F3E", "versionEndExcluding": "2.32_psi342n", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7820:-:*:*:*:*:*:*:*", "matchCriteriaId": "DA2540A2-1462-42F7-949C-9881544DE684", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7821:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E153D62-9443-4F52-BA47-5C2704E05BC9", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr950:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6B0407D-D603-48AE-9A42-F4C68056E19D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D3658E6-8820-45E5-8357-7A9EB564553A", "versionEndExcluding": "3.41_tei382m", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_mx1021:-:*:*:*:*:*:*:*", "matchCriteriaId": "C24F4237-BD63-4A87-B44A-970871642E27", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_se350:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD4B877C-8D19-4AD2-948D-ADBD9B1BEEED", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "97D0E172-D188-4293-BD6D-94128304F07E", "versionEndExcluding": "4.83_tei3c0n", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sd650:-:*:*:*:*:*:*:*", "matchCriteriaId": "7A1FF5D0-CC08-42B0-9798-55ED911B3EF6", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn550:-:*:*:*:*:*:*:*", "matchCriteriaId": "5DB64709-93BA-43D8-A1DB-4CE405291430", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn850:-:*:*:*:*:*:*:*", "matchCriteriaId": "1DB0C393-2CB4-485F-93E2-2F28B19F9325", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:-:*:*:*:*:*:*:*", "matchCriteriaId": "19771143-D5F1-4F2F-AB83-09913894681E", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:-:*:*:*:*:*:*:*", "matchCriteriaId": "EAF08144-ECCB-477B-A934-E4578522BFEE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6F17BC4-421A-453D-B933-97AA7BBED79E", "versionEndExcluding": "1.51_tgbt24l", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "95893E4E-6850-4C53-A5D6-12C3B9BB0E92", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E1F9CC8A-CCFA-4499-A2C8-6251EF43968D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de elusi\u00f3n de autenticaci\u00f3n de solo lectura en la versi\u00f3n del tercer trimestre de 2021 del firmware de Lenovo XClarity Controller (XCC) que afecta a los dispositivos XCC configurados en el modo de solo autenticaci\u00f3n LDAP y que usan un servidor LDAP que admite \u20ac\u0153unauthenticated bind\u00e2\u20ac?, como Microsoft Active Directory. Un usuario no autenticado puede conseguir acceso de s\u00f3lo lectura al XCC en dicha configuraci\u00f3n, lo que permite visualizar la configuraci\u00f3n del dispositivo XCC pero no modificarla. Los dispositivos XCC configurados para usar la autenticaci\u00f3n local, el modo de autenticaci\u00f3n + autorizaci\u00f3n LDAP o los servidores LDAP que s\u00f3lo admiten la \"vinculaci\u00f3n autenticada\" y/o la \"vinculaci\u00f3n an\u00f3nima\" no est\u00e1n afectados"}], "id": "CVE-2021-3956", "lastModified": "2024-11-21T06:23:13.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@lenovo.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-18T16:15:08.063", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "psirt@lenovo.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}