CVE-2021-3473

Summary

CVE	CVE-2021-3473
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-04-13 21:15:00 UTC
Updated	2021-04-23 19:14:00 UTC
Description	An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.

Risk And Classification

Problem Types: CWE-312

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Lenovo	Thinkagile Hx1320	-	All	All	All
Hardware	Lenovo	Thinkagile Hx2320	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3320	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3375	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3520-g	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3720	-	All	All	All
Hardware	Lenovo	Thinkagile Hx5520	-	All	All	All
Hardware	Lenovo	Thinkagile Hx7520	-	All	All	All
Hardware	Lenovo	Thinkagile Hx7820	-	All	All	All
Hardware	Lenovo	Thinkagile Mx1020	-	All	All	All
Hardware	Lenovo	Thinkagile Mx Certified Nodes	-	All	All	All
Hardware	Lenovo	Thinkagile Vx 1u	-	All	All	All
Hardware	Lenovo	Thinkagile Vx 2u	-	All	All	All
Hardware	Lenovo	Thinkagile Vx Dense	-	All	All	All
Hardware	Lenovo	Thinksystem Sd530	-	All	All	All
Hardware	Lenovo	Thinksystem Sd650	-	All	All	All
Hardware	Lenovo	Thinksystem Se350	-	All	All	All
Hardware	Lenovo	Thinksystem Sn550	-	All	All	All
Hardware	Lenovo	Thinksystem Sn850	-	All	All	All
Hardware	Lenovo	Thinksystem Sr150	-	All	All	All
Hardware	Lenovo	Thinksystem Sr158	-	All	All	All
Hardware	Lenovo	Thinksystem Sr250	-	All	All	All
Hardware	Lenovo	Thinksystem Sr258	-	All	All	All
Hardware	Lenovo	Thinksystem Sr530	-	All	All	All
Hardware	Lenovo	Thinksystem Sr570	-	All	All	All
Hardware	Lenovo	Thinksystem Sr590	-	All	All	All
Hardware	Lenovo	Thinksystem Sr630	-	All	All	All
Hardware	Lenovo	Thinksystem Sr650	-	All	All	All
Hardware	Lenovo	Thinksystem Sr670	-	All	All	All
Hardware	Lenovo	Thinksystem Sr850	-	All	All	All
Hardware	Lenovo	Thinksystem Sr850p	-	All	All	All
Hardware	Lenovo	Thinksystem Sr860	-	All	All	All
Hardware	Lenovo	Thinksystem Sr950	-	All	All	All
Hardware	Lenovo	Thinksystem St250	-	All	All	All
Hardware	Lenovo	Thinksystem St258	-	All	All	All
Hardware	Lenovo	Thinksystem St550	-	All	All	All
Hardware	Lenovo	Thinksystem St558	-	All	All	All
Application	Lenovo	Xclarity Controller	1.10_tgbt12q	All	All	All
Application	Lenovo	Xclarity Controller	2.14_psi338i	All	All	All
Application	Lenovo	Xclarity Controller	4.40_tei3b2p	All	All	All
Application	Lenovo	Xclarity Controller	6.00_cdi370q	All	All	All

References

Reference	Source	Link	Tags
Lenovo XClarity Controller (XCC) Information Disclosure Vulnerability - Lenovo Support US	MISC	support.lenovo.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.