CVE-2021-3473

Name: CVE-2021-3473
Creator: NVD / NIST
Published: 2021-04-13T21:15:25.41+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.9/10EPSS 0.48%

Last modified Jun 17, 2026

CVE-2021-3473 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. EPSS estimates a 0.48% chance of exploitation in the next 30 days.

Description

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.

Metrics

CVSS 3.1

4.9/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.48%

37.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Lenovo	Xclarity Controller	6.00_cdi370q
Lenovo	Xclarity Controller	1.10_tgbt12q
Lenovo	Xclarity Controller	2.14_psi338i
Lenovo	Xclarity Controller	4.40_tei3b2p

References

https://support.lenovo.com/us/en/product_security/LEN-52117Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-52117Vendor Advisory

Timeline

Published: Apr 13, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-3473?

How severe is CVE-2021-3473?

CVE-2021-3473 has a CVSS score of 4.9/10 (MEDIUM severity). The EPSS model estimates a 0.48% probability of exploitation in the next 30 days.

How do I fix CVE-2021-3473?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-3473?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST