CVE-2021-3849

EPSS 0.51%
Published 22.04.2022 21:15:09
Last modified 21.11.2024 06:22:38
Source psirt@lenovo.com
Teams watchlist Login
Open Login

An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Lenovo ≫ Nextscale N1200 Enclosure Firmware Version < fhet50b-2.90

Lenovo ≫ Nextscale N1200 Enclosure Version-

Lenovo ≫ Thinkagile Hx Enclosure Certified Node Firmware Version < tesm28b-1.21

Lenovo ≫ Thinkagile Hx Enclosure Certified Node Version-

Lenovo ≫ Thinkagile Vx Enclosure Firmware Version < tesm28b-1.21

Lenovo ≫ Thinkagile Vx Enclosure Version-

Lenovo ≫ Thinksystem D2 Enclosure Firmware Version < tesm28b-1.21

Lenovo ≫ Thinksystem D2 Enclosure Version-

Ibm ≫ Nextscale Fan Power Controller Firmware Version < 44a-3.70

Ibm ≫ Nextscale Fan Power Controller Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.51%	0.652

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
psirt@lenovo.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

https://support.lenovo.com/us/en/product_security/LEN-72615

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-3849

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-3849

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-3849

EUVD