CVE-2022-4569 - OpenCVE

A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Lenovo	Thinkpad Hybrid Usb-c With Usb-a Dock Firmware Thinkpad Hybrid Usb-c With Usb-a Dock

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock_firmware:*:*:*:*:*:windows:*:*

cpe:2.3:h:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock:-:*:*:*:*:*:*:*

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-103544	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: lenovo

Published: 2023-06-05T20:59:26.019Z

Updated: 2023-06-05T20:59:26.019Z

Reserved: 2022-12-16T19:33:47.531Z

Link: CVE-2022-4569

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-06-05T21:15:10.413

Modified: 2023-06-13T16:56:50.710

Link: CVE-2022-4569

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-4569", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2022-12-16T19:33:47.531Z", "datePublished": "2023-06-05T20:59:26.019Z", "dateUpdated": "2023-06-05T20:59:26.019Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool", "vendor": "Lenovo", "versions": [{"status": "affected", "version": "versions prior to v1.0.35_v2 "}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": " Lenovo thanks Raphael Rosenast of Compass Security."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation."}], "value": "A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2023-06-05T20:59:26.019Z"}, "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-103544"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Customers should update their ThinkPad Dock Firmware Update Tool to version v1.0.35_v2 or later"}], "value": "Customers should update their ThinkPad Dock Firmware Update Tool to version v1.0.35_v2 or later"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock_firmware:*:*:*:*:*:windows:*:*", "matchCriteriaId": "A2688053-9035-434B-B91A-D65053997264", "versionEndExcluding": "1.0.35_v2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkpad_hybrid_usb-c_with_usb-a_dock:-:*:*:*:*:*:*:*", "matchCriteriaId": "84E3B238-F3FA-47ED-AB7C-724007ECF450", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation."}], "id": "CVE-2022-4569", "lastModified": "2023-06-13T16:56:50.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2023-06-05T21:15:10.413", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-103544"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}