CVE-2022-37018 — Incorrect Default Permissions in HP Elite Slice Firmware

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

8.4HIGHNVD

EPSS

0.0%

top 89.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

HP Elite Slice Firmware HP Elite X2 1012 G1 Firmware HP Elite X2 1012 G2 Firmware +73 more

Timeline

PublishedDec 12

Description

A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code execution. HP is releasing firmware updates to mitigate the potential vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages76 packages

▶NVDhp/mp9_g2_retail_system_firmware< 02.59

▶NVDhp/rp9_g1_retail_system_firmware< 02.59

▶NVDhp/engage_one_aio_system_firmware< 02.44

▶NVDhp/z1_g3_firmware< 01.33

▶NVDhp/z240_sff_firmware< 01.85

Patches

Patch: support.hp.com ↗Patch: support.hp.com ↗

🔴Vulnerability Details

GHSA

GHSA-vv23-8mw3-7r7r: A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code executio↗2022-12-12

▶

CVEList

CVE-2022-37018: A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code executio↗2022-11-21

▶