CVE-2021-3956
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-3956
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Lenovo XClarity Controller 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Lenovo XClarity Controller(XCC)是中国联想(Lenovo)公司的一款服务器嵌入式管理引擎,它主要用于标准化和自动化基础服务器管理任务。 Lenovo XClarity Controller存在安全漏洞,该漏洞源于该漏洞影响在 LDAP 身份验证模式下配置并使用支持“未经身份验证绑定”的 LDAP 服务器(例如 Microsoft Active Directory)的 XCC 设备。未经身份验证的用户可以在此类配置中获得对 XCC 的只读访问权限,从而允许查看但不能更改 XCC
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Lenovo | XClarity Controller (XCC) | various Third Quarter 2021 releases | - |
II. Public POCs for CVE-2021-3956
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-3956
请登录查看更多情报信息。
- https://support.lenovo.com/us/en/product_security/LEN-72074x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-3956
Same Patch Batch · Lenovo · 2022-05-18 · 9 CVEs total
| CVE-2021-42850 | 8.8 HIGH | Lenovo Personal Cloud Storage 信任管理问题漏洞 |
| CVE-2021-42852 | 8.0 HIGH | Lenovo Personal Cloud Storage 操作系统命令注入漏洞 |
| CVE-2021-3969 | 7.8 HIGH | Lenovo Vantage 安全漏洞 |
| CVE-2021-3922 | 7.8 HIGH | Lenovo Vantage 竞争条件问题漏洞 |
| CVE-2021-42849 | 6.8 MEDIUM | Lenovo Personal Cloud Storage 授权问题漏洞 |
| CVE-2021-42851 | 6.3 MEDIUM | Lenovo Personal Cloud Storage 安全漏洞 |
| CVE-2022-1110 | 5.5 MEDIUM | Lenovo Smart Standby Driver 安全漏洞 |
| CVE-2021-42848 | 4.3 MEDIUM | Lenovo Personal Cloud Storage 安全漏洞 |
IV. Related Vulnerabilities
Same weakness: CWE-863
- CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
V. Comments for CVE-2021-3956
No comments yet