CVE-2022-3431 — Incorrect Default Permissions in Lenovo D330-10igl Firmware

CWE-276 — Incorrect Default Permissions CWE-2644 documents4 sources

Severity

7.8HIGHNVD

CNA6.7CISA8.8

EPSS

0.0%

top 89.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo D330-10igl Firmware Lenovo Ideapad 5 Pro-16ach6 Firmware Lenovo Ideapad 5 Pro-16ihu6 Firmware +23 more

Timeline

PublishedOct 9

Description

A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages26 packages

▶NVDlenovo/d330-10igl_firmware< g0cn11ww

▶NVDlenovo/s540-15iml_firmware< cncn22ww

▶NVDlenovo/slim_7_16arh7_firmware< klcn15ww

▶NVDlenovo/thinkbook_13x_itg_firmware< hlcn30ww

▶NVDlenovo/yoga_duet_7-13itl6_firmware< gpcn24ww

🔴Vulnerability Details

GHSA

GHSA-jgmr-c4c9-rqmx: A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated m↗2023-10-09

▶

CVEList

CVE-2022-3431: A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated m↗2023-10-09

▶

📋Vendor Advisories

CISA

Oracle VirtualBox Insufficient Input Validation Vulnerability↗2022-03-03

▶