Sensitive Information Exposure in Lenovo XClarity Controller
CVE-2021-3473

4.5MEDIUM

Key Information:

Vendor: Lenovo
Status: Xclarity Controller (xcc)
Vendor: CVE Published:; 13 April 2021

Summary

An internal security audit revealed that using Lenovo XClarity Administrator to perform a backup or restore on the Lenovo XClarity Controller can lead to the exposure of configuration backup/restore passwords. These sensitive credentials are temporarily stored in an internal log buffer, which may be included in FFDC service logs generated by a privileged user. Although the log contents are overwritten within approximately ten minutes, the risk remains for users who have access to these logs, as the backup/restore password may be inadvertently disclosed during log generation.

Affected Version(s)

XClarity Controller (XCC) < 6.00 CDI370Q

XClarity Controller (XCC) < 1.10 TGBT12Q

XClarity Controller (XCC) < 3.20 TEI378W

References

https://support.lenovo.com/us/en/product_security/LEN-52117

x_refsource_MISC

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 13, 2021
Vulnerability Reserved
Mar 29, 2021