Details of VAR-202103-1457

ID

VAR-202103-1457

CVE

CVE-2021-3417

TITLE

LXCO Vulnerability in plaintext transmission of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2021-004364

DESCRIPTION

An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file. LXCO Contains a vulnerability in the transmission of important information in clear text.Information may be obtained. Lenovo XClarity Orchestrator is an application software of China Lenovo (Lenovo). Provides centralized monitoring, management, and analytics for environments with large numbers of devices

Trust: 1.71

sources: NVD: CVE-2021-3417 // JVNDB: JVNDB-2021-004364 // VULHUB: VHN-387032

AFFECTED PRODUCTS

vendor:	lenovo	model:	xclarity orchestrator	scope:	lt	version:	1.2.2	Trust: 1.0
vendor:	lenovo	model:	xclarity orchestrator	scope:	eq	version:	1.2.2	Trust: 0.8
vendor:	lenovo	model:	xclarity orchestrator	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-004364 // NVD: CVE-2021-3417

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-3417
value:	MEDIUM
Trust: 1.0
psirt@lenovo.com:	CVE-2021-3417
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-3417
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202103-652
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-387032
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-3417
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-387032
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-3417
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-004364
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-387032 // JVNDB: JVNDB-2021-004364 // CNNVD: CNNVD-202103-652 // NVD: CVE-2021-3417 // NVD: CVE-2021-3417

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.1
problemtype:	Sending important information in clear text (CWE-319) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-387032 // JVNDB: JVNDB-2021-004364 // NVD: CVE-2021-3417

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-652

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202103-652

PATCH

title:	LEN-49884	url:	https://support.lenovo.com/us/en/product_security/LEN-49884	Trust: 0.8
title:	Lenovo XClarity Orchestrator Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=144271	Trust: 0.6

sources: JVNDB: JVNDB-2021-004364 // CNNVD: CNNVD-202103-652

EXTERNAL IDS

db:	NVD	id:	CVE-2021-3417	Trust: 2.5
db:	LENOVO	id:	LEN-49884	Trust: 1.7
db:	JVNDB	id:	JVNDB-2021-004364	Trust: 0.8
db:	CNNVD	id:	CNNVD-202103-652	Trust: 0.6
db:	VULHUB	id:	VHN-387032	Trust: 0.1

sources: VULHUB: VHN-387032 // JVNDB: JVNDB-2021-004364 // CNNVD: CNNVD-202103-652 // NVD: CVE-2021-3417

REFERENCES

url:	https://support.lenovo.com/us/en/product_security/len-49884	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3417	Trust: 0.8

sources: VULHUB: VHN-387032 // JVNDB: JVNDB-2021-004364 // CNNVD: CNNVD-202103-652 // NVD: CVE-2021-3417

SOURCES

db:	VULHUB	id:	VHN-387032
db:	JVNDB	id:	JVNDB-2021-004364
db:	CNNVD	id:	CNNVD-202103-652
db:	NVD	id:	CVE-2021-3417

LAST UPDATE DATE

2024-11-23T22:51:06.516000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-387032	date:	2021-03-15T00:00:00
db:	JVNDB	id:	JVNDB-2021-004364	date:	2021-11-18T09:07:00
db:	CNNVD	id:	CNNVD-202103-652	date:	2021-03-16T00:00:00
db:	NVD	id:	CVE-2021-3417	date:	2024-11-21T06:21:27.430

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-387032	date:	2021-03-09T00:00:00
db:	JVNDB	id:	JVNDB-2021-004364	date:	2021-11-18T00:00:00
db:	CNNVD	id:	CNNVD-202103-652	date:	2021-03-09T00:00:00
db:	NVD	id:	CVE-2021-3417	date:	2021-03-09T17:15:12.923