4.9

CVE-2021-3473

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.

Data is provided by the National Vulnerability Database (NVD)
LenovoXclarity Controller Version6.00_cdi370q
   LenovoThinkagile Hx1320 Version-
   LenovoThinkagile Hx2320 Version-
   LenovoThinkagile Hx3320 Version-
   LenovoThinkagile Hx3375 Version-
   LenovoThinkagile Hx3520-g Version-
   LenovoThinkagile Hx3720 Version-
   LenovoThinkagile Hx5520 Version-
   LenovoThinkagile Hx7520 Version-
   LenovoThinkagile Hx7820 Version-
   LenovoThinkagile Mx Certified Nodes Version-
   LenovoThinkagile Vx 1u Version-
   LenovoThinkagile Vx 2u Version-
   LenovoThinkagile Vx Dense Version-
   LenovoThinksystem Sr530 Version-
   LenovoThinksystem Sr570 Version-
   LenovoThinksystem Sr590 Version-
   LenovoThinksystem Sr630 Version-
   LenovoThinksystem Sr650 Version-
   LenovoThinksystem St550 Version-
   LenovoThinksystem St558 Version-
LenovoXclarity Controller Version1.10_tgbt12q
   LenovoThinkagile Hx1320 Version-
   LenovoThinkagile Hx2320 Version-
   LenovoThinkagile Hx3320 Version-
   LenovoThinkagile Hx3375 Version-
   LenovoThinkagile Hx3520-g Version-
   LenovoThinkagile Hx3720 Version-
   LenovoThinkagile Hx5520 Version-
   LenovoThinkagile Hx7520 Version-
   LenovoThinkagile Hx7820 Version-
   LenovoThinkagile Mx Certified Nodes Version-
   LenovoThinkagile Mx1020 Version-
   LenovoThinkagile Vx 1u Version-
   LenovoThinkagile Vx 2u Version-
   LenovoThinkagile Vx Dense Version-
   LenovoThinksystem Se350 Version-
   LenovoThinksystem Sr670 Version-
   LenovoThinksystem Sr850p Version-
LenovoXclarity Controller Version2.14_psi338i
   LenovoThinksystem Sr950 Version-
LenovoXclarity Controller Version4.40_tei3b2p
   LenovoThinkagile Hx1320 Version-
   LenovoThinkagile Hx2320 Version-
   LenovoThinkagile Hx3320 Version-
   LenovoThinkagile Hx3375 Version-
   LenovoThinkagile Hx3520-g Version-
   LenovoThinkagile Hx3720 Version-
   LenovoThinkagile Hx5520 Version-
   LenovoThinkagile Hx7520 Version-
   LenovoThinkagile Hx7820 Version-
   LenovoThinkagile Vx 1u Version-
   LenovoThinkagile Vx 2u Version-
   LenovoThinkagile Vx Dense Version-
   LenovoThinksystem Sd530 Version-
   LenovoThinksystem Sd650 Version-
   LenovoThinksystem Sn550 Version-
   LenovoThinksystem Sn850 Version-
   LenovoThinksystem Sr150 Version-
   LenovoThinksystem Sr158 Version-
   LenovoThinksystem Sr250 Version-
   LenovoThinksystem Sr258 Version-
   LenovoThinksystem Sr850 Version-
   LenovoThinksystem Sr860 Version-
   LenovoThinksystem St250 Version-
   LenovoThinksystem St258 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.1% 0.248
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
psirt@lenovo.com 4.5 0.9 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.