CVE-2022-1107 — Improper Input Validation in Lenovo Thinkpad 11E Firmware

CWE-20 — Improper Input Validation CWE-269 — Improper Privilege Management3 documents3 sources

Severity

6.7MEDIUMNVD

EPSS

0.0%

top 90.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Thinkpad 11E Firmware Lenovo Thinkpad 11E Yoga Firmware Lenovo Thinkpad Helix Firmware +28 more

Timeline

PublishedApr 22

Latest updateApr 23

Description

During an internal product security audit a potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI handler was discovered in some ThinkPad models could be exploited by an attacker with elevated privileges that could allow for execution of code.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages31 packages

▶NVDlenovo/thinkpad_11e_firmware< n15et78w

▶NVDlenovo/thinkpad_l560_firmware< n1het85w

▶NVDlenovo/thinkpad_l570_firmware< n1xet65w

▶NVDlenovo/thinkpad_p50s_firmware< n1ket46w

▶NVDlenovo/thinkpad_p51s_firmware< n1vet50w

🔴Vulnerability Details

GHSA

GHSA-qmwg-7c3h-jmrr: A potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI handler in some ThinkPad models could be exploited by an attacker with el↗2022-04-23

▶

CVEList

CVE-2022-1107: During an internal product security audit a potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI handler was discovered in some↗2022-04-22

▶