{"containers": {"cna": {"affected": [{"product": "XClarity Controller (XCC)", "vendor": "Lenovo", "versions": [{"status": "affected", "version": "various Third Quarter 2021 releases"}]}], "descriptions": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T16:10:24", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}], "solutions": [{"lang": "en", "value": "Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074."}], "source": {"advisory": "LEN-72074", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "ID": "CVE-2021-3956", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "XClarity Controller (XCC)", "version": {"version_data": [{"version_affected": "=", "version_value": "various Third Quarter 2021 releases"}]}}]}, "vendor_name": "Lenovo"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863 Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://support.lenovo.com/us/en/product_security/LEN-72074", "refsource": "MISC", "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}]}, "solution": [{"lang": "en", "value": "Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074."}], "source": {"advisory": "LEN-72074", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2021-3956", "datePublished": "2022-05-18T16:10:24", "dateReserved": "2021-11-12T00:00:00", "dateUpdated": "2022-05-18T16:10:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "1749A9CB-1719-4CC8-8476-D06D99BB2A2F", "versionEndExcluding": "7.22_cdi382o", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1320:-:*:*:*:*:*:*:*", "matchCriteriaId": "E72B2526-8BD9-49FD-BDCF-B654BCEAC8AE", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1321:-:*:*:*:*:*:*:*", "matchCriteriaId": "ADFD8C5A-D9E0-4EFF-92A3-17A6DBE7D155", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:*:*:*:*:*:*:*", "matchCriteriaId": "648DD614-F500-4FFB-8FD4-D2B284FE5E55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:*:*:*:*:*:*:*", "matchCriteriaId": "D33A804F-C94C-4A6C-AA84-957834680652", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:*:*:*:*:*:*:*", "matchCriteriaId": "DECFCE59-8456-47A3-8A8E-989813E37674", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2321:-:*:*:*:*:*:*:*", "matchCriteriaId": "A5E515C4-D2F2-4A71-9A9C-70A80477352A", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3320:-:*:*:*:*:*:*:*", "matchCriteriaId": "03D3EBE9-34C1-45CA-A800-B313110409DC", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3321:-:*:*:*:*:*:*:*", "matchCriteriaId": "86E6A2F7-7EC0-46E1-A973-2172B076E883", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3375:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8126219-A07C-42A6-9553-B6AE499DB6BF", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3376:-:*:*:*:*:*:*:*", "matchCriteriaId": "57D7A545-BE29-4F0B-AC77-8E6DE955CA5B", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "B9D354C3-0183-42D9-97D0-C9888B023195", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E0DDCC8-46B7-43FA-8A4A-BCE8AB7F8480", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A9FDCC0-F45C-4AA1-BB11-0761A25BF16B", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:*:*:*:*:*:*:*", "matchCriteriaId": "4EB95DEC-D622-4AD7-AC69-077A94BD752C", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521:-:*:*:*:*:*:*:*", "matchCriteriaId": "924C1B4B-6E97-4942-8000-BB59860913EE", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:*:*:*:*:*:*:*", "matchCriteriaId": "5788FFBD-69B4-4FB6-A2D2-4C6BA6CCE769", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7520:-:*:*:*:*:*:*:*", "matchCriteriaId": "16776C5F-CCAF-4F22-B570-FE49A0B73FF7", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7521:-:*:*:*:*:*:*:*", "matchCriteriaId": "F350D6FE-7BE1-46C9-B1A6-4EE0AF8BCB55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx2320:-:*:*:*:*:*:*:*", "matchCriteriaId": "BF7500A0-B95E-4E16-B532-28C139C94AF3", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3320:-:*:*:*:*:*:*:*", "matchCriteriaId": "4A8B3E93-970D-4B49-B5A6-6BFAC45BAAC4", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "72422C47-0027-4B4E-9C82-78FE8A8A6D75", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx5520:-:*:*:*:*:*:*:*", "matchCriteriaId": "704A1043-7626-412C-8666-9088B3AA1147", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:*:*:*:*:*:*:*", "matchCriteriaId": "435794D6-7773-4D93-96E2-7269EB863A04", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520:-:*:*:*:*:*:*:*", "matchCriteriaId": "E25483F5-F222-42AF-ACA4-580CD2965C55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C923CF1-EB97-431F-9D85-0CB5C921A040", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkstation_p920:-:*:*:*:*:*:*:*", "matchCriteriaId": "D47FCAA7-B33F-4F00-85BA-AA8ED4790572", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr530:-:*:*:*:*:*:*:*", "matchCriteriaId": "F4C6628A-8A99-4841-A7C5-0445A03C638D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr550:-:*:*:*:*:*:*:*", "matchCriteriaId": "D10850BF-A7EA-4B84-B2EF-66DCCC301514", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr570:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A7C5BE3-5429-46B0-B0B5-C86A9B6376A7", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr590:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3DC615C-A88A-4C45-892F-77C5E84104E8", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr630:-:*:*:*:*:*:*:*", "matchCriteriaId": "D7F10C8D-C9C7-4FAD-980D-7A602C8BE81D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr645:-:*:*:*:*:*:*:*", "matchCriteriaId": "DE27586B-1CC9-42A3-B763-93972E204A6D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr650:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6C2B5BB-6E1F-4E01-AAE8-A8239AB8945E", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr665:-:*:*:*:*:*:*:*", "matchCriteriaId": "1AE69184-CA94-4A27-AFF2-3B1B81D25CBA", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_st550:-:*:*:*:*:*:*:*", "matchCriteriaId": "A5B19107-5B45-4E45-8B34-90B5A1FF3962", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "6975F7A6-DBC8-42D4-B067-E397FD978F3E", "versionEndExcluding": "2.32_psi342n", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7820:-:*:*:*:*:*:*:*", "matchCriteriaId": "DA2540A2-1462-42F7-949C-9881544DE684", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7821:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E153D62-9443-4F52-BA47-5C2704E05BC9", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr950:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6B0407D-D603-48AE-9A42-F4C68056E19D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D3658E6-8820-45E5-8357-7A9EB564553A", "versionEndExcluding": "3.41_tei382m", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_mx1021:-:*:*:*:*:*:*:*", "matchCriteriaId": "C24F4237-BD63-4A87-B44A-970871642E27", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_se350:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD4B877C-8D19-4AD2-948D-ADBD9B1BEEED", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "97D0E172-D188-4293-BD6D-94128304F07E", "versionEndExcluding": "4.83_tei3c0n", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sd650:-:*:*:*:*:*:*:*", "matchCriteriaId": "7A1FF5D0-CC08-42B0-9798-55ED911B3EF6", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn550:-:*:*:*:*:*:*:*", "matchCriteriaId": "5DB64709-93BA-43D8-A1DB-4CE405291430", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn850:-:*:*:*:*:*:*:*", "matchCriteriaId": "1DB0C393-2CB4-485F-93E2-2F28B19F9325", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:-:*:*:*:*:*:*:*", "matchCriteriaId": "19771143-D5F1-4F2F-AB83-09913894681E", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:-:*:*:*:*:*:*:*", "matchCriteriaId": "EAF08144-ECCB-477B-A934-E4578522BFEE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6F17BC4-421A-453D-B933-97AA7BBED79E", "versionEndExcluding": "1.51_tgbt24l", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "95893E4E-6850-4C53-A5D6-12C3B9BB0E92", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E1F9CC8A-CCFA-4499-A2C8-6251EF43968D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de elusi\u00f3n de autenticaci\u00f3n de solo lectura en la versi\u00f3n del tercer trimestre de 2021 del firmware de Lenovo XClarity Controller (XCC) que afecta a los dispositivos XCC configurados en el modo de solo autenticaci\u00f3n LDAP y que usan un servidor LDAP que admite \u20ac\u0153unauthenticated bind\u00e2\u20ac?, como Microsoft Active Directory. Un usuario no autenticado puede conseguir acceso de s\u00f3lo lectura al XCC en dicha configuraci\u00f3n, lo que permite visualizar la configuraci\u00f3n del dispositivo XCC pero no modificarla. Los dispositivos XCC configurados para usar la autenticaci\u00f3n local, el modo de autenticaci\u00f3n + autorizaci\u00f3n LDAP o los servidores LDAP que s\u00f3lo admiten la \"vinculaci\u00f3n autenticada\" y/o la \"vinculaci\u00f3n an\u00f3nima\" no est\u00e1n afectados"}], "id": "CVE-2021-3956", "lastModified": "2022-06-06T18:28:15.027", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2022-05-18T16:15:08.063", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}

{}