Internal Credential Logging Issue in Lenovo XClarity Administrator by Lenovo
CVE-2021-3417

4.9MEDIUM

Key Information:

Vendor: Lenovo
Status: Xclarity Orchestrator
Vendor: CVE Published:; 9 March 2021

Summary

An internal security audit of Lenovo XClarity Administrator revealed a vulnerability where sensitive credentials, when added as a Resource Manager, are encoded and logged each time a session is established. These logs are captured in the First Failure Data Capture (FFDC) service log, which is accessible only to privileged users upon request. The logging of these credentials poses a significant risk if the log files are improperly accessed or managed.

Affected Version(s)

XClarity Orchestrator < 1.2.2

References

https://support.lenovo.com/us/en/product_security/LEN-49884

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 9, 2021
Vulnerability Reserved
Feb 25, 2021