CVE-2021-3599

CWE-20 — Improper Input Validation3 documents3 sources

Severity

6.7MEDIUM

EPSS

0.0%

top 88.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

134

Lenovo Thinkpad 10 Firmware Lenovo Thinkpad 11E 3RD GEN Firmware Lenovo Thinkpad 11E 4TH GEN Firmware +131 more

Timeline

PublishedNov 12

Latest updateMay 24

Description

A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages134 packages

▶NVDlenovo/thinkpad_10_firmware< 2021-10-25

▶NVDlenovo/thinkpad_25_firmware< n1qet92w

▶NVDlenovo/thinkpad_p1_firmware< n2eet54w

▶NVDlenovo/thinkpad_e15_firmware< 2021-10-15

▶NVDlenovo/thinkpad_l13_firmware< 2021-10-31

Patches

Patch: support.lenovo.com ↗Patch: support.lenovo.com ↗

🔴Vulnerability Details

GHSA

GHSA-7jgm-fxw4-3rp9: A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and↗2022-05-24

▶

CVEList

CVE-2021-3599: A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and↗2021-11-12

▶