Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for thinkpad_l390_firmware by lenovo

    CVE-2022-40134 (GCVE-0-2022-40134)

    Vulnerability from nvd – Published: 2023-01-30 21:20 – Updated: 2025-03-27 15:26
    VLAI
    Summary
    An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Lenovo BIOS Affected: various
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:14:39.959Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-94953"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-40134",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-27T15:26:39.063546Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T15:26:52.831Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory."
                }
              ],
              "value": "An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-30T21:20:25.236Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "url": "https://support.lenovo.com/us/en/product_security/LEN-94953"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-94953."
                }
              ],
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-94953."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2022-40134",
        "datePublished": "2023-01-30T21:20:25.236Z",
        "dateReserved": "2022-09-06T15:43:50.235Z",
        "dateUpdated": "2025-03-27T15:26:52.831Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3843 (GCVE-0-2021-3843)

    Vulnerability from nvd – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:09
    VLAI
    Summary
    A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo ThinkPad BIOS Affected: various
    Create a notification for this product.
    Credits
    Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.580Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:56.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
            }
          ],
          "source": {
            "advisory": "LEN-72619",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3843",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-72619",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
              }
            ],
            "source": {
              "advisory": "LEN-72619",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3843",
        "datePublished": "2021-11-12T22:05:56.000Z",
        "dateReserved": "2021-09-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:09.580Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3786 (GCVE-0-2021-3786)

    Vulnerability from nvd – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:09
    VLAI
    Summary
    A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Credits
    Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:08.738Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Notebook and ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:41.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
            }
          ],
          "source": {
            "advisory": "LEN-67440",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3786",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Notebook and ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-67440",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
              }
            ],
            "source": {
              "advisory": "LEN-67440",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3786",
        "datePublished": "2021-11-12T22:05:41.000Z",
        "dateReserved": "2021-09-09T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:08.738Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3718 (GCVE-0-2021-3718)

    Vulnerability from nvd – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS.
    CWE
    • CWE-232 - Improper Handling of Undefined Values
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo ThinkPad BIOS Affected: various
    Create a notification for this product.
    Credits
    Lenovo thanks Zoltan Harmarth for reporting this issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:08.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Zoltan Harmarth for reporting this issue"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-232",
                  "description": "CWE-232 Improper Handling of Undefined Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:34.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
            }
          ],
          "source": {
            "advisory": "LEN-72619",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3718",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Zoltan Harmarth for reporting this issue"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-232 Improper Handling of Undefined Values"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-72619",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
              }
            ],
            "source": {
              "advisory": "LEN-72619",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3718",
        "datePublished": "2021-11-12T22:05:34.000Z",
        "dateReserved": "2021-08-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:08.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3599 (GCVE-0-2021-3599)

    Vulnerability from nvd – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo ThinkPad BIOS Affected: various
    Create a notification for this product.
    Credits
    Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:33.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
            }
          ],
          "source": {
            "advisory": "LEN-67440",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3599",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-67440",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
              }
            ],
            "source": {
              "advisory": "LEN-67440",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3599",
        "datePublished": "2021-11-12T22:05:33.000Z",
        "dateReserved": "2021-06-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-40134 (GCVE-0-2022-40134)

    Vulnerability from cvelistv5 – Published: 2023-01-30 21:20 – Updated: 2025-03-27 15:26
    VLAI
    Summary
    An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Lenovo BIOS Affected: various
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:14:39.959Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-94953"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-40134",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-27T15:26:39.063546Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T15:26:52.831Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory."
                }
              ],
              "value": "An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125 Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-30T21:20:25.236Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "url": "https://support.lenovo.com/us/en/product_security/LEN-94953"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-94953."
                }
              ],
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-94953."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2022-40134",
        "datePublished": "2023-01-30T21:20:25.236Z",
        "dateReserved": "2022-09-06T15:43:50.235Z",
        "dateUpdated": "2025-03-27T15:26:52.831Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3843 (GCVE-0-2021-3843)

    Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:09
    VLAI
    Summary
    A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo ThinkPad BIOS Affected: various
    Create a notification for this product.
    Credits
    Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.580Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:56.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
            }
          ],
          "source": {
            "advisory": "LEN-72619",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3843",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Jiawei Yin(@yngweijw) and Menghao Li of IIE varas."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A potential vulnerability in the SMI function to access EEPROM in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-72619",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
              }
            ],
            "source": {
              "advisory": "LEN-72619",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3843",
        "datePublished": "2021-11-12T22:05:56.000Z",
        "dateReserved": "2021-09-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:09.580Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3786 (GCVE-0-2021-3786)

    Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:09
    VLAI
    Summary
    A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Credits
    Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:08.738Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Notebook and ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:41.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
            }
          ],
          "source": {
            "advisory": "LEN-67440",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3786",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Notebook and ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-67440",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
              }
            ],
            "source": {
              "advisory": "LEN-67440",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3786",
        "datePublished": "2021-11-12T22:05:41.000Z",
        "dateReserved": "2021-09-09T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:08.738Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3718 (GCVE-0-2021-3718)

    Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS.
    CWE
    • CWE-232 - Improper Handling of Undefined Values
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo ThinkPad BIOS Affected: various
    Create a notification for this product.
    Credits
    Lenovo thanks Zoltan Harmarth for reporting this issue
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:08.300Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Zoltan Harmarth for reporting this issue"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-232",
                  "description": "CWE-232 Improper Handling of Undefined Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:34.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
            }
          ],
          "source": {
            "advisory": "LEN-72619",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3718",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Zoltan Harmarth for reporting this issue"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-232 Improper Handling of Undefined Values"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-72619",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
              }
            ],
            "source": {
              "advisory": "LEN-72619",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3718",
        "datePublished": "2021-11-12T22:05:34.000Z",
        "dateReserved": "2021-08-18T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:08.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3599 (GCVE-0-2021-3599)

    Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Lenovo ThinkPad BIOS Affected: various
    Create a notification for this product.
    Credits
    Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ThinkPad BIOS",
              "vendor": "Lenovo",
              "versions": [
                {
                  "status": "affected",
                  "version": "various"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-12T22:05:33.000Z",
            "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
            "shortName": "lenovo"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
            }
          ],
          "source": {
            "advisory": "LEN-67440",
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@lenovo.com",
              "ID": "CVE-2021-3599",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ThinkPad BIOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "various"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Lenovo"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Lenovo thanks Itai Liba and Assaf Carlsbad from SentinelOne for reporting these issues."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.lenovo.com/us/en/product_security/LEN-67440",
                  "refsource": "MISC",
                  "url": "https://support.lenovo.com/us/en/product_security/LEN-67440"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section of LEN-67440."
              }
            ],
            "source": {
              "advisory": "LEN-67440",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "assignerShortName": "lenovo",
        "cveId": "CVE-2021-3599",
        "datePublished": "2021-11-12T22:05:33.000Z",
        "dateReserved": "2021-06-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.491Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }