CVE-2021-3720 (GCVE-0-2021-3720)

Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:01
VLAI
Summary
An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
Vendor Product Version
Lenovo Legion Phone Pro (L79031) Affected: unspecified , < 12.5.231 (custom)
Create a notification for this product.
Lenovo Legion Phone2 Pro (L70081) Affected: unspecified , < 12.5.632 (custom)
Create a notification for this product.
Credits
Lenovo thanks Xiaofeng Liu (Shandong University) and Qinsheng Hou (Shandong University & Qi An Xin Group Corp.) for reporting this issue.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.293Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://iknow.lenovo.com.cn/detail/dc_199217.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Legion Phone Pro (L79031)",
          "vendor": "Lenovo",
          "versions": [
            {
              "lessThan": "12.5.231",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Legion Phone2 Pro (L70081)",
          "vendor": "Lenovo",
          "versions": [
            {
              "lessThan": "12.5.632",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Lenovo thanks Xiaofeng Liu (Shandong University) and Qinsheng Hou (Shandong University \u0026 Qi An Xin Group Corp.) for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "CWE-276 Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-12T22:05:38.000Z",
        "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "shortName": "lenovo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://iknow.lenovo.com.cn/detail/dc_199217.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "For Legion Phone Pro (L79031), perform an Over-The-Air (OTA) system update to version 12.5.231 (or later).\nFor Legion Phone2 Pro (L70081), perform an Over-The-Air (OTA) system update to version 12.5.632 (or later).\nTo check for available updates wirelessly/over-the-air: # Go to Settings \u003e My Phone \u003e System Update \nIf an update is available, follow the instructions on your phone to download and install it.\nOnce updated, your phone will restart to complete the installation."
        }
      ],
      "source": {
        "advisory": "LEN-65134",
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@lenovo.com",
          "ID": "CVE-2021-3720",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Legion Phone Pro (L79031)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "12.5.231"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Legion Phone2 Pro (L70081)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "12.5.632"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Lenovo"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Lenovo thanks Xiaofeng Liu (Shandong University) and Qinsheng Hou (Shandong University \u0026 Qi An Xin Group Corp.) for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-276 Incorrect Default Permissions"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://iknow.lenovo.com.cn/detail/dc_199217.html",
              "refsource": "MISC",
              "url": "https://iknow.lenovo.com.cn/detail/dc_199217.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "For Legion Phone Pro (L79031), perform an Over-The-Air (OTA) system update to version 12.5.231 (or later).\nFor Legion Phone2 Pro (L70081), perform an Over-The-Air (OTA) system update to version 12.5.632 (or later).\nTo check for available updates wirelessly/over-the-air: # Go to Settings \u003e My Phone \u003e System Update \nIf an update is available, follow the instructions on your phone to download and install it.\nOnce updated, your phone will restart to complete the installation."
          }
        ],
        "source": {
          "advisory": "LEN-65134",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
    "assignerShortName": "lenovo",
    "cveId": "CVE-2021-3720",
    "datePublished": "2021-11-12T22:05:38.000Z",
    "dateReserved": "2021-08-18T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:01:08.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-3720",
      "date": "2026-05-26",
      "epss": "0.00044",
      "percentile": "0.13587"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-3720\",\"sourceIdentifier\":\"psirt@lenovo.com\",\"published\":\"2021-11-12T22:15:08.007\",\"lastModified\":\"2024-11-21T06:22:14.840\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.\"},{\"lang\":\"es\",\"value\":\"Se ha informado de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el widget del sistema Time Weather en Legion Phone Pro (L79031) y Legion Phone2 Pro (L70081) que podr\u00eda permitir a otras aplicaciones acceder a los datos del GPS del dispositivo\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@lenovo.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"psirt@lenovo.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:lenovo:legion_phone_pro_\\\\(l79031\\\\)firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.5.231\",\"matchCriteriaId\":\"36A91A6C-44DE-406F-92BB-FFFC787F09EB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:lenovo:legion_phone_pro_\\\\(l79031\\\\):-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A2B1693-72A3-45B0-9496-D57B373CE66E\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:lenovo:legion_phone2_pro_\\\\(l70081\\\\)_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.5.632\",\"matchCriteriaId\":\"72FBE839-AA26-4DC8-8B79-9A1A9B00AF2B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:lenovo:legion_phone2_pro_\\\\(l70081\\\\):-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C03E10A-B58D-479C-88E4-B6265DAC4FCC\"}]}]}],\"references\":[{\"url\":\"https://iknow.lenovo.com.cn/detail/dc_199217.html\",\"source\":\"psirt@lenovo.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://iknow.lenovo.com.cn/detail/dc_199217.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.