CVE-2021-3473

CVE-2021-3473 is a medium-severity vulnerability in Lenovo Xclarity Controller with a CVSS 3.x base score of 4.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-312.

Key facts

Description

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.

Frequently asked questions

What is CVE-2021-3473?
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.
How severe is CVE-2021-3473?
CVE-2021-3473 has a CVSS 3.x base score of 4.5, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2021-3473 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (38th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-3473?
CVE-2021-3473 primarily affects Lenovo Xclarity Controller. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-3473?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2021-3473 published?
CVE-2021-3473 was published on 2021-04-13 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Lenovo Xclarity Controller

All CVEs affecting Lenovo Xclarity Controller →

Other CWE-312 (Cleartext Storage of Sensitive Information) vulnerabilities

Browse all CWE-312 (Cleartext Storage of Sensitive Information) vulnerabilities →