Medium severity4.3NVD Advisory· Published May 18, 2022· Updated Jun 17, 2026
CVE-2021-3956
CVE-2021-3956
Description
A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.
Affected products
2Third Quarter 2021 release+ 1 more
- (no CPE)range: Third Quarter 2021 release
- (no CPE)range: various Third Quarter 2021 releases
Patches
Vulnerability mechanics
References
1- support.lenovo.com/us/en/product_security/LEN-72074nvdVendor Advisory
News mentions
0No linked articles in our index yet.