CVE-2021-3720 - OpenCVE

An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lenovo	Legion Phone2 Pro \(l70081\) Legion Phone2 Pro \(l70081\) Firmware Legion Phone Pro \(l79031\) Legion Phone Pro \(l79031\)firmware

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:legion_phone_pro_\(l79031\)firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:legion_phone_pro_\(l79031\):-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lenovo:legion_phone2_pro_\(l70081\)_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:legion_phone2_pro_\(l70081\):-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://iknow.lenovo.com.cn/detail/dc_199217.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2021-11-12T22:05:38

Updated: 2024-08-03T17:01:08.293Z

Reserved: 2021-08-18T00:00:00

Link: CVE-2021-3720

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-12T22:15:08.007

Modified: 2021-11-16T20:30:04.297

Link: CVE-2021-3720

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Legion Phone Pro (L79031)", "vendor": "Lenovo", "versions": [{"lessThan": "12.5.231", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Legion Phone2 Pro (L70081)", "vendor": "Lenovo", "versions": [{"lessThan": "12.5.632", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Lenovo thanks Xiaofeng Liu (Shandong University) and Qinsheng Hou (Shandong University & Qi An Xin Group Corp.) for reporting this issue."}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-12T22:05:38", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://iknow.lenovo.com.cn/detail/dc_199217.html"}], "solutions": [{"lang": "en", "value": "For Legion Phone Pro (L79031), perform an Over-The-Air (OTA) system update to version 12.5.231 (or later).\nFor Legion Phone2 Pro (L70081), perform an Over-The-Air (OTA) system update to version 12.5.632 (or later).\nTo check for available updates wirelessly/over-the-air: # Go to Settings > My Phone > System Update \nIf an update is available, follow the instructions on your phone to download and install it.\nOnce updated, your phone will restart to complete the installation."}], "source": {"advisory": "LEN-65134", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "ID": "CVE-2021-3720", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Legion Phone Pro (L79031)", "version": {"version_data": [{"version_affected": "<", "version_value": "12.5.231"}]}}, {"product_name": "Legion Phone2 Pro (L70081)", "version": {"version_data": [{"version_affected": "<", "version_value": "12.5.632 "}]}}]}, "vendor_name": "Lenovo"}]}}, "credit": [{"lang": "eng", "value": "Lenovo thanks Xiaofeng Liu (Shandong University) and Qinsheng Hou (Shandong University & Qi An Xin Group Corp.) for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276 Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://iknow.lenovo.com.cn/detail/dc_199217.html", "refsource": "MISC", "url": "https://iknow.lenovo.com.cn/detail/dc_199217.html"}]}, "solution": [{"lang": "en", "value": "For Legion Phone Pro (L79031), perform an Over-The-Air (OTA) system update to version 12.5.231 (or later).\nFor Legion Phone2 Pro (L70081), perform an Over-The-Air (OTA) system update to version 12.5.632 (or later).\nTo check for available updates wirelessly/over-the-air: # Go to Settings > My Phone > System Update \nIf an update is available, follow the instructions on your phone to download and install it.\nOnce updated, your phone will restart to complete the installation."}], "source": {"advisory": "LEN-65134", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:08.293Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://iknow.lenovo.com.cn/detail/dc_199217.html"}]}]}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2021-3720", "datePublished": "2021-11-12T22:05:38", "dateReserved": "2021-08-18T00:00:00", "dateUpdated": "2024-08-03T17:01:08.293Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:legion_phone_pro_\\(l79031\\)firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "36A91A6C-44DE-406F-92BB-FFFC787F09EB", "versionEndExcluding": "12.5.231", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:legion_phone_pro_\\(l79031\\):-:*:*:*:*:*:*:*", "matchCriteriaId": "9A2B1693-72A3-45B0-9496-D57B373CE66E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:legion_phone2_pro_\\(l70081\\)_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "72FBE839-AA26-4DC8-8B79-9A1A9B00AF2B", "versionEndExcluding": "12.5.632", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:legion_phone2_pro_\\(l70081\\):-:*:*:*:*:*:*:*", "matchCriteriaId": "3C03E10A-B58D-479C-88E4-B6265DAC4FCC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was reported in the Time Weather system widget on Legion Phone Pro (L79031) and Legion Phone2 Pro (L70081) that could allow other applications to access device GPS data."}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el widget del sistema Time Weather en Legion Phone Pro (L79031) y Legion Phone2 Pro (L70081) que podr\u00eda permitir a otras aplicaciones acceder a los datos del GPS del dispositivo"}], "id": "CVE-2021-3720", "lastModified": "2021-11-16T20:30:04.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2021-11-12T22:15:08.007", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://iknow.lenovo.com.cn/detail/dc_199217.html"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}