CVE-2021-42851 - OpenCVE

A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	X1 Firmware T1 T1 Firmware T2pro Firmware T2pro A1 Firmware T2 A1 X1 T2 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:a1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:a1:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lenovo:t1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:t1:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:lenovo:x1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:x1:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:lenovo:t2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:t2:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:lenovo:t2pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:lenovo:t2pro:-:*:*:*:*:*:*:*

References

Link	Resource
https://iknow.lenovo.com.cn/detail/dc_200017.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2022-05-18T16:10:32

Updated: 2022-05-18T16:10:32

Reserved: 2021-10-22T00:00:00

Link: CVE-2021-42851

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-18T16:15:08.360

Modified: 2022-08-09T00:20:45.227

Link: CVE-2021-42851

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Personal Cloud Storage A1", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.6.a1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage T1", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.6.t1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage X1", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.8.x1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage T2", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.8.t2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Personal Cloud Storage T2Pro", "vendor": "Lenovo", "versions": [{"lessThan": "5.3.7.t2-pro", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Lenovo thanks Kais and KT of 360 Vulcan Team for reporting this issue."}], "descriptions": [{"lang": "en", "value": "A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T16:10:32", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://iknow.lenovo.com.cn/detail/dc_200017.html"}], "solutions": [{"lang": "en", "value": "Update to the Lenovo Personal Cloud Storage device firmware listed in the product table in LEN-73439."}], "source": {"advisory": "LEN-73439", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "ID": "CVE-2021-42851", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Personal Cloud Storage A1", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.6.a1"}]}}, {"product_name": "Personal Cloud Storage T1", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.6.t1"}]}}, {"product_name": "Personal Cloud Storage X1", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.8.x1"}]}}, {"product_name": "Personal Cloud Storage T2", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.8.t2"}]}}, {"product_name": "Personal Cloud Storage T2Pro", "version": {"version_data": [{"version_affected": "<", "version_value": "5.3.7.t2-pro"}]}}]}, "vendor_name": "Lenovo"}]}}, "credit": [{"lang": "eng", "value": "Lenovo thanks Kais and KT of 360 Vulcan Team for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862 Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://iknow.lenovo.com.cn/detail/dc_200017.html", "refsource": "MISC", "url": "https://iknow.lenovo.com.cn/detail/dc_200017.html"}]}, "solution": [{"lang": "en", "value": "Update to the Lenovo Personal Cloud Storage device firmware listed in the product table in LEN-73439."}], "source": {"advisory": "LEN-73439", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2021-42851", "datePublished": "2022-05-18T16:10:32", "dateReserved": "2021-10-22T00:00:00", "dateUpdated": "2022-05-18T16:10:32", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:a1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "26B4B1A2-26BB-4282-98E2-A1330A0B420A", "versionEndExcluding": "5.3.6.a1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:a1:-:*:*:*:*:*:*:*", "matchCriteriaId": "2E4D45D6-C702-4093-BD49-50E237FD4D94", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:t1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "58D149F6-8029-4DCB-AE37-F094CE09CCDC", "versionEndExcluding": "5.3.6.t1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:t1:-:*:*:*:*:*:*:*", "matchCriteriaId": "5AA9C614-61D6-4329-9BAE-EB24A68FAE6B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:x1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "055D03D9-F4BE-4EAE-AF07-D8E807C0BF26", "versionEndExcluding": "5.3.8.x1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:x1:-:*:*:*:*:*:*:*", "matchCriteriaId": "282CCA7C-F1B8-4E0D-923D-36C1E630EBF4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:t2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DECB887A-404E-4DFA-B1F0-B12DC2376487", "versionEndExcluding": "5.3.8.t2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:t2:-:*:*:*:*:*:*:*", "matchCriteriaId": "1783634F-B40E-48C4-8102-8112C9BC95F4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:t2pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "44D09A84-C0BE-4EB6-99F8-30184D7C8A40", "versionEndExcluding": "5.3.7.t2-pro", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:t2pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "E31C853A-15FD-4D72-BA16-395A282E1E6B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account."}, {"lang": "es", "value": "Se inform\u00f3 de una vulnerabilidad en algunos dispositivos Lenovo Personal Cloud Storage que podr\u00eda permitir a un usuario no autenticado crear una cuenta de usuario est\u00e1ndar"}], "id": "CVE-2021-42851", "lastModified": "2022-08-09T00:20:45.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2022-05-18T16:15:08.360", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://iknow.lenovo.com.cn/detail/dc_200017.html"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}