CVE-2021-3473
4.9
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Exploitability: 1.2 / Impact: 3.6
Source: NVD
Description
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.
Affected (4)
Products: Lenovo: Xclarity Controller
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Version 6.00_cdi370q |
| Running on/with | Platform Versions |
|---|---|
Lenovo Thinksystem Sr530 | All versions |
Lenovo Thinksystem Sr570 | All versions |
Lenovo Thinksystem Sr590 | All versions |
Lenovo Thinksystem Sr630 | All versions |
Lenovo Thinksystem Sr650 | All versions |
Lenovo Thinksystem St550 | All versions |
Lenovo Thinksystem St558 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.10_tgbt12q |
| Running on/with | Platform Versions |
|---|---|
Lenovo Thinkagile Mx1020 | All versions |
Lenovo Thinkagile Mx Certified Nodes | All versions |
Lenovo Thinksystem Se350 | All versions |
Lenovo Thinksystem Sr670 | All versions |
Lenovo Thinksystem Sr850p | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Version 2.14_psi338i |
| Running on/with | Platform Versions |
|---|---|
Lenovo Thinksystem Sr950 | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Version 4.40_tei3b2p |
| Running on/with | Platform Versions |
|---|---|
Lenovo Thinkagile Hx1320 | All versions |
Lenovo Thinkagile Hx2320 | All versions |
Lenovo Thinkagile Hx3320 | All versions |
Lenovo Thinkagile Hx3375 | All versions |
Lenovo Thinkagile Hx3520 G | All versions |
Lenovo Thinkagile Hx3720 | All versions |
Lenovo Thinkagile Hx5520 | All versions |
Lenovo Thinkagile Hx7520 | All versions |
Lenovo Thinkagile Hx7820 | All versions |
Lenovo Thinkagile Vx 1u | All versions |
Lenovo Thinkagile Vx 2u | All versions |
Lenovo Thinkagile Vx Dense | All versions |
Lenovo Thinksystem Sd530 | All versions |
Lenovo Thinksystem Sd650 | All versions |
Lenovo Thinksystem Sn550 | All versions |
Lenovo Thinksystem Sn850 | All versions |
Lenovo Thinksystem Sr150 | All versions |
Lenovo Thinksystem Sr158 | All versions |
Lenovo Thinksystem Sr250 | All versions |
Lenovo Thinksystem Sr258 | All versions |
Lenovo Thinksystem Sr850 | All versions |
Lenovo Thinksystem Sr860 | All versions |
Lenovo Thinksystem St250 | All versions |
Lenovo Thinksystem St258 | All versions |
Related CWEs
CWE-312
Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-319
Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
References (2)
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.