CVE-2021-42848 - OpenCVE

An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	X1 Firmware T1 T1 Firmware T2pro Firmware T2pro A1 Firmware T2 A1 X1 T2 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:a1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:a1:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lenovo:t1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:t1:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:lenovo:x1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:x1:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:lenovo:t2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:t2:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:lenovo:t2pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:t2pro:-:*:*:*:*:*:*:*

References

Link	Resource
https://iknow.lenovo.com.cn/detail/dc_200017.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2022-05-18T16:10:27

Updated: 2022-05-18T16:10:27

Reserved: 2021-10-22T00:00:00

Link: CVE-2021-42848

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-18T16:15:08.187

Modified: 2022-06-01T13:42:19.307

Link: CVE-2021-42848

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"containers": {"cna": {"affected": [{"product": "Personal Cloud Storage A1", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.6.a1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage T1", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.6.t1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage X1", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.8.x1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage T2", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.8.t2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage T2Pro", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.7.t2-pro", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Lenovo thanks Kais and KT of 360 Vulcan Team for reporting these issues."}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T16:10:27", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://iknow.lenovo.com.cn/detail/dc_200017.html"}], "solutions": [{"lang": "en", "value": "Update to the Lenovo Personal Cloud Storage device firmware listed in the product table in LEN-73439."}], "source": {"advisory": "LEN-73439", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "ID": "CVE-2021-42848", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Personal Cloud Storage A1", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.6.a1"}]}}, {"product_name": "Personal Cloud Storage T1", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.6.t1"}]}}, {"product_name": "Personal Cloud Storage X1", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.8.x1"}]}}, {"product_name": "Personal Cloud Storage T2", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.8.t2"}]}}, {"product_name": "Personal Cloud Storage T2Pro", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.7.t2-pro"}]}}]}, "vendor_name": "Lenovo"}]}}, "credit": [{"lang": "eng", "value": "Lenovo thanks Kais and KT of 360 Vulcan Team for reporting these issues."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862 Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://iknow.lenovo.com.cn/detail/dc_200017.html", "refsource": "MISC", "url": "https://iknow.lenovo.com.cn/detail/dc_200017.html"}]}, "solution": [{"lang": "en", "value": "Update to the Lenovo Personal Cloud Storage device firmware listed in the product table in LEN-73439."}], "source": {"advisory": "LEN-73439", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2021-42848", "datePublished": "2022-05-18T16:10:27", "dateReserved": "2021-10-22T00:00:00", "dateUpdated": "2022-05-18T16:10:27", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:a1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "26B4B1A2-26BB-4282-98E2-A1330A0B420A", "versionEndExcluding": "5.3.6.a1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:a1:-:*:*:*:*:*:*:*", "matchCriteriaId": "2E4D45D6-C702-4093-BD49-50E237FD4D94", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:t1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "58D149F6-8029-4DCB-AE37-F094CE09CCDC", "versionEndExcluding": "5.3.6.t1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:t1:-:*:*:*:*:*:*:*", "matchCriteriaId": "5AA9C614-61D6-4329-9BAE-EB24A68FAE6B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:x1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "055D03D9-F4BE-4EAE-AF07-D8E807C0BF26", "versionEndExcluding": "5.3.8.x1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:x1:-:*:*:*:*:*:*:*", "matchCriteriaId": "282CCA7C-F1B8-4E0D-923D-36C1E630EBF4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:t2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DECB887A-404E-4DFA-B1F0-B12DC2376487", "versionEndExcluding": "5.3.8.t2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:t2:-:*:*:*:*:*:*:*", "matchCriteriaId": "1783634F-B40E-48C4-8102-8112C9BC95F4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:t2pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "44D09A84-C0BE-4EB6-99F8-30184D7C8A40", "versionEndExcluding": "5.3.7.t2-pro", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:t2pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "E31C853A-15FD-4D72-BA16-395A282E1E6B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details."}, {"lang": "es", "value": "Se inform\u00f3 de una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en algunos dispositivos de Lenovo Personal Cloud Storage que podr\u00eda permitir a un usuario no autenticado recuperar detalles del dispositivo y de la red"}], "id": "CVE-2021-42848", "lastModified": "2022-06-01T13:42:19.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2022-05-18T16:15:08.187", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://iknow.lenovo.com.cn/detail/dc_200017.html"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}