CVE-2022-3701 - Vulnerability Details - OpenCVE

Description

A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.

Published: 2023-10-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Lenovo

Vantage SystemUpdate Plugin

unaffected

Version	Status	Constraints
	affected	< 2.0.0.213

Configuration 1 [-]

cpe:2.3:a:lenovo:system_update_plugin:*:*:*:*:*:lenovo_vantage:*:*

Configuration 2 [-]

cpe:2.3:a:lenovo:hardware_scan_plugin:*:*:*:*:*:lenovo_vantage:*:*

Configuration 3 [-]

cpe:2.3:a:lenovo:hardware_scan_addin:*:*:*:*:*:lenovo_vantage:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update the Lenovo Vantage SystemUpdate Plugin to version 2.0.0.213.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-43059	A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://support.lenovo.com/us/en/product_security/LEN-94532

History

No history.

Subscriptions

Lenovo Hardware Scan Addin Hardware Scan Plugin System Update Plugin

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2023-10-27T19:38:49.759Z

Updated: 2024-09-09T14:54:51.401Z

Reserved: 2022-10-26T14:40:41.298Z

Link: CVE-2022-3701

Vulnrichment

Updated: 2024-08-03T01:20:57.017Z

NVD

Status : Modified

Published: 2023-10-27T20:15:08.857

Modified: 2024-11-21T07:20:03.887

Link: CVE-2022-3701

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3701", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2022-10-26T14:40:41.298Z", "datePublished": "2023-10-27T19:38:49.759Z", "dateUpdated": "2024-09-09T14:54:51.401Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Vantage SystemUpdate Plugin", "vendor": "Lenovo", "versions": [{"lessThan": "2.0.0.213", "status": "affected", "version": " ", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lenovo thanks Nils Ole Timm for reporting this issue."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.</span>\n\n"}], "value": "\nA privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2023-10-27T19:38:49.759Z"}, "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-94532"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Update the Lenovo Vantage SystemUpdate Plugin to version 2.0.0.213.</span>\n\n<br>"}], "value": "\nUpdate the Lenovo Vantage SystemUpdate Plugin to version 2.0.0.213.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:20:57.017Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-94532", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "lenovo", "product": "vantage_systemupdate_plugin", "cpes": ["cpe:2.3:a:lenovo:vantage_systemupdate_plugin:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.0.0.213", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-09T14:52:00.295887Z", "id": "CVE-2022-3701", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T14:54:51.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-94532", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:20:57.017Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-3701", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-09T14:52:00.295887Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:lenovo:vantage_systemupdate_plugin:*:*:*:*:*:*:*:*"], "vendor": "lenovo", "product": "vantage_systemupdate_plugin", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.0.213", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T14:54:33.142Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Lenovo thanks Nils Ole Timm for reporting this issue."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Lenovo", "product": "Vantage SystemUpdate Plugin", "versions": [{"status": "affected", "version": " ", "lessThan": "2.0.0.213", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nUpdate the Lenovo Vantage SystemUpdate Plugin to version 2.0.0.213.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Update the Lenovo Vantage SystemUpdate Plugin to version 2.0.0.213.</span>\n\n<br>", "base64": false}]}], "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-94532"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nA privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">A privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.</span>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2023-10-27T19:38:49.759Z"}}}, "cveMetadata": {"cveId": "CVE-2022-3701", "state": "PUBLISHED", "dateUpdated": "2024-09-09T14:54:51.401Z", "dateReserved": "2022-10-26T14:40:41.298Z", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "datePublished": "2023-10-27T19:38:49.759Z", "assignerShortName": "lenovo"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:system_update_plugin:*:*:*:*:*:lenovo_vantage:*:*", "matchCriteriaId": "2570934E-9A8F-4241-984D-09FAF0D8540C", "versionEndExcluding": "2.0.0.213", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:hardware_scan_plugin:*:*:*:*:*:lenovo_vantage:*:*", "matchCriteriaId": "0BC61F69-B3FD-42AD-A660-3ED4B22B19B2", "versionEndExcluding": "1.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:hardware_scan_addin:*:*:*:*:*:lenovo_vantage:*:*", "matchCriteriaId": "3BCFD400-C02F-434F-908F-60E84AAB48C1", "versionEndExcluding": "2.4.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nA privilege elevation vulnerability was reported in the Lenovo Vantage SystemUpdate plugin version 2.0.0.212 and earlier that could allow a local attacker to execute arbitrary code with elevated privileges.\n\n"}, {"lang": "es", "value": "Se inform\u00f3 una vulnerabilidad de elevaci\u00f3n de privilegios en el complemento Lenovo Vantage SystemUpdate versi\u00f3n 2.0.0.212 y anteriores que podr\u00eda permitir a un atacante local ejecutar c\u00f3digo arbitrario con privilegios elevados."}], "id": "CVE-2022-3701", "lastModified": "2024-11-21T07:20:03.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@lenovo.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-27T20:15:08.857", "references": [{"source": "psirt@lenovo.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-94532"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-94532"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "psirt@lenovo.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}