CVE-2021-3956

Summary

CVE	CVE-2021-3956
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-05-18 16:15:00 UTC
Updated	2022-06-06 18:28:00 UTC
Description	A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Risk And Classification

Problem Types: CWE-863

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Lenovo	Thinkagile Hx1320	-	All	All	All
Hardware	Lenovo	Thinkagile Hx1321	-	All	All	All
Hardware	Lenovo	Thinkagile Hx1520-r	-	All	All	All
Hardware	Lenovo	Thinkagile Hx1521-r	-	All	All	All
Hardware	Lenovo	Thinkagile Hx2320-e	-	All	All	All
Hardware	Lenovo	Thinkagile Hx2321	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3320	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3321	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3375	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3376	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3520-g	-	All	All	All
Hardware	Lenovo	Thinkagile Hx3521-g	-	All	All	All
Hardware	Lenovo	Thinkagile Hx5520	-	All	All	All
Hardware	Lenovo	Thinkagile Hx5520-c	-	All	All	All
Hardware	Lenovo	Thinkagile Hx5521	-	All	All	All
Hardware	Lenovo	Thinkagile Hx5521-c	-	All	All	All
Hardware	Lenovo	Thinkagile Hx7520	-	All	All	All
Hardware	Lenovo	Thinkagile Hx7521	-	All	All	All
Hardware	Lenovo	Thinkagile Hx7820	-	All	All	All
Hardware	Lenovo	Thinkagile Hx7821	-	All	All	All
Hardware	Lenovo	Thinkagile Mx1021	-	All	All	All
Hardware	Lenovo	Thinkagile Vx2320	-	All	All	All
Hardware	Lenovo	Thinkagile Vx3320	-	All	All	All
Hardware	Lenovo	Thinkagile Vx3520-g	-	All	All	All
Hardware	Lenovo	Thinkagile Vx5520	-	All	All	All
Hardware	Lenovo	Thinkagile Vx7320 N	-	All	All	All
Hardware	Lenovo	Thinkagile Vx7520	-	All	All	All
Hardware	Lenovo	Thinkagile Vx7520 N	-	All	All	All
Hardware	Lenovo	Thinkstation P920	-	All	All	All
Hardware	Lenovo	Thinksystem Sd650	-	All	All	All
Hardware	Lenovo	Thinksystem Se350	-	All	All	All
Hardware	Lenovo	Thinksystem Sn550	-	All	All	All
Hardware	Lenovo	Thinksystem Sn850	-	All	All	All
Hardware	Lenovo	Thinksystem Sr530	-	All	All	All
Hardware	Lenovo	Thinksystem Sr550	-	All	All	All
Hardware	Lenovo	Thinksystem Sr570	-	All	All	All
Hardware	Lenovo	Thinksystem Sr590	-	All	All	All
Hardware	Lenovo	Thinksystem Sr630	-	All	All	All
Hardware	Lenovo	Thinksystem Sr645	-	All	All	All
Hardware	Lenovo	Thinksystem Sr650	-	All	All	All
Hardware	Lenovo	Thinksystem Sr665	-	All	All	All
Hardware	Lenovo	Thinksystem Sr850	-	All	All	All
Hardware	Lenovo	Thinksystem Sr850	2.0	All	All	All
Hardware	Lenovo	Thinksystem Sr860	-	All	All	All
Hardware	Lenovo	Thinksystem Sr860	2.0	All	All	All
Hardware	Lenovo	Thinksystem Sr950	-	All	All	All
Hardware	Lenovo	Thinksystem St550	-	All	All	All
Application	Lenovo	Xclarity Controller	All	All	All	All

References

Reference	Source	Link	Tags
Read-Only LDAP Authentication Bypass Vulnerability in Lenovo XClarity Controller (XCC) Firmware - Lenovo Support US	CONFIRM	support.lenovo.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.