VYPR
Medium severity4.3NVD Advisory· Published May 18, 2022· Updated Jun 17, 2026

CVE-2021-3956

CVE-2021-3956

Description

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Affected products

2
  • Lenovo/XClarity Controllerllm-fuzzy2 versions
    Third Quarter 2021 release+ 1 more
    • (no CPE)range: Third Quarter 2021 release
    • (no CPE)range: various Third Quarter 2021 releases

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.