CVE-2022-3700 - OpenCVE

A Time of Check Time of Use (TOCTOU) vulnerability was reported in the Lenovo Vantage SystemUpdate Plugin version 2.0.0.212 and earlier that could allow a local attacker to delete arbitrary files.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	Hardware Scan Addin System Update Plugin Hardware Scan Plugin

Configuration 1 [-]

cpe:2.3:a:lenovo:system_update_plugin:*:*:*:*:*:lenovo_vantage:*:*

Configuration 2 [-]

cpe:2.3:a:lenovo:hardware_scan_plugin:*:*:*:*:*:lenovo_vantage:*:*

Configuration 3 [-]

cpe:2.3:a:lenovo:hardware_scan_addin:*:*:*:*:*:lenovo_vantage:*:*

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-94532	Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2023-10-27T19:32:04.281Z

Updated: 2023-10-27T19:38:06.324Z

Reserved: 2022-10-26T14:39:07.979Z

Link: CVE-2022-3700

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-27T20:15:08.777

Modified: 2023-11-07T19:42:42.127

Link: CVE-2022-3700

JSON object: View

Redhat Information

No data.

CWE

CWE-367

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-3700", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2022-10-26T14:39:07.979Z", "datePublished": "2023-10-27T19:32:04.281Z", "dateUpdated": "2023-10-27T19:38:06.324Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Vantage SystemUpdate Plugin", "vendor": "Lenovo", "versions": [{"lessThan": "2.0.0.213", "status": "affected", "version": " ", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lenovo thanks Nils Ole Timm for reporting this issue."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A Time of Check Time of Use (TOCTOU) vulnerability was reported in the Lenovo Vantage SystemUpdate Plugin version 2.0.0.212 and earlier that could allow a local attacker to delete arbitrary files."}], "value": "A Time of Check Time of Use (TOCTOU) vulnerability was reported in the Lenovo Vantage SystemUpdate Plugin version 2.0.0.212 and earlier that could allow a local attacker to delete arbitrary files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2023-10-27T19:38:06.324Z"}, "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-94532"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Update the Lenovo Vantage SystemUpdate Plugin to version 2.0.0.213.</span>\n\n<br>"}], "value": "\nUpdate the Lenovo Vantage SystemUpdate Plugin to version 2.0.0.213.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:system_update_plugin:*:*:*:*:*:lenovo_vantage:*:*", "matchCriteriaId": "2570934E-9A8F-4241-984D-09FAF0D8540C", "versionEndExcluding": "2.0.0.213", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:hardware_scan_plugin:*:*:*:*:*:lenovo_vantage:*:*", "matchCriteriaId": "0BC61F69-B3FD-42AD-A660-3ED4B22B19B2", "versionEndExcluding": "1.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:hardware_scan_addin:*:*:*:*:*:lenovo_vantage:*:*", "matchCriteriaId": "3BCFD400-C02F-434F-908F-60E84AAB48C1", "versionEndExcluding": "2.4.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Time of Check Time of Use (TOCTOU) vulnerability was reported in the Lenovo Vantage SystemUpdate Plugin version 2.0.0.212 and earlier that could allow a local attacker to delete arbitrary files."}, {"lang": "es", "value": "Se inform\u00f3 una vulnerabilidad de Time of Check Time of Use (TOCTOU) en Lenovo Vantage SystemUpdate Plugin versi\u00f3n 2.0.0.212 y anteriores que podr\u00eda permitir a un atacante local eliminar archivos arbitrarios."}], "id": "CVE-2022-3700", "lastModified": "2023-11-07T19:42:42.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2023-10-27T20:15:08.777", "references": [{"source": "psirt@lenovo.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-94532"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "psirt@lenovo.com", "type": "Primary"}]}