CVE-2022-4569 - OpenCVE

A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lenovo	Thinkpad Hybrid Usb-c With Usb-a Dock Thinkpad Hybrid Usb-c With Usb-a Dock Firmware

Configuration 1 [-]

AND

cpe:2.3:h:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock:-:*:*:*:*:*:*:*

cpe:2.3:o:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock_firmware:*:*:*:*:*:windows:*:*

No data.

References

Link	Providers
https://support.lenovo.com/us/en/product_security/LEN-103544

History

No history.

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2023-06-05T20:59:26.019Z

Updated: 2024-08-03T01:41:45.585Z

Reserved: 2022-12-16T19:33:47.531Z

Link: CVE-2022-4569

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-06-05T21:15:10.413

Modified: 2023-06-13T16:56:50.710

Link: CVE-2022-4569

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4569", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2022-12-16T19:33:47.531Z", "datePublished": "2023-06-05T20:59:26.019Z", "dateUpdated": "2024-08-03T01:41:45.585Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool", "vendor": "Lenovo", "versions": [{"status": "affected", "version": "versions prior to v1.0.35_v2 "}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": " Lenovo thanks Raphael Rosenast of Compass Security."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation."}], "value": "A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2023-06-05T20:59:26.019Z"}, "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-103544"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Customers should update their ThinkPad Dock Firmware Update Tool to version v1.0.35_v2 or later"}], "value": "Customers should update their ThinkPad Dock Firmware Update Tool to version v1.0.35_v2 or later"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:45.585Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-103544", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock:-:*:*:*:*:*:*:*", "matchCriteriaId": "84E3B238-F3FA-47ED-AB7C-724007ECF450", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock_firmware:*:*:*:*:*:windows:*:*", "matchCriteriaId": "A2688053-9035-434B-B91A-D65053997264", "versionEndExcluding": "1.0.35_v2", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation."}], "id": "CVE-2022-4569", "lastModified": "2023-06-13T16:56:50.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2023-06-05T21:15:10.413", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-103544"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}