CVE-2021-3956

Description

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Remediation

Solution:

  • Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074.

Category

4.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.10%
Vendor Advisory lenovo.com
Affected: Lenovo XClarity Controller (XCC)
Published at:
Updated at:

References

Link Tags
https://support.lenovo.com/us/en/product_security/LEN-72074 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-3956?
CVE-2021-3956 has been scored as a medium severity vulnerability.
How to fix CVE-2021-3956?
To fix CVE-2021-3956: Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074.
Is CVE-2021-3956 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-3956 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-3956?
CVE-2021-3956 affects Lenovo XClarity Controller (XCC).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.