CVE-2021-3956
MEDIUMLenovo XClarity Controller < 7.22_cdi382o - LDAP Auth Bypass (Unauthenticated Read-Only Access)
Title source: llmDescription
A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.lenovo.com/us/en/product_security/LEN-72074
Scores
CVSS v3
4.3
EPSS
0.0018
EPSS Percentile
39.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (1)
lenovo/xclarity_controller
< 7.22_cdi382o
Published
May 18, 2022
Tracked Since
Feb 18, 2026