Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-3849

An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.

Published

2022-04-22T21:15:09.557

Last Modified

2024-11-21T06:22:38.853

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-288
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	lenovo	nextscale_n1200_enclosure_firmware	< fhet50b-2.90	Yes
Hardware	lenovo	nextscale_n1200_enclosure	-	No
Operating System	lenovo	thinkagile_hx_enclosure_certified_node_firmware	< tesm28b-1.21	Yes
Hardware	lenovo	thinkagile_hx_enclosure_certified_node	-	No
Operating System	lenovo	thinkagile_vx_enclosure_firmware	< tesm28b-1.21	Yes
Hardware	lenovo	thinkagile_vx_enclosure	-	No
Operating System	lenovo	thinksystem_d2_enclosure_firmware	< tesm28b-1.21	Yes
Hardware	lenovo	thinksystem_d2_enclosure	-	No
Operating System	ibm	nextscale_fan_power_controller_firmware	< 44a-3.70	Yes
Hardware	ibm	nextscale_fan_power_controller	-	No

References

https://support.lenovo.com/us/en/product_security/LEN-72615 Vendor Advisory ([email protected])
https://support.lenovo.com/us/en/product_security/LEN-72615 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)