CVE-2021-3972 — MEDIUM (6.7)

Q: How severe is CVE-2021-3972?

CVE-2021-3972 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-3972?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Ideapad 3-14Ada05 Firmware, Lenovo Ideapad 3-14Ada05, Lenovo Ideapad 3-14Ada6 Firmware, Lenovo Ideapad 3-14Ada6, Lenovo Ideapad 3-14Alc6 Firmware.

Vulnerability Description

A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

CVSS Score

6.7

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lenovo	Ideapad 3-14Ada05 Firmware	< e8cn33ww
Lenovo	Ideapad 3-14Ada05	-
Lenovo	Ideapad 3-14Ada6 Firmware	< hbcn21ww
Lenovo	Ideapad 3-14Ada6	-
Lenovo	Ideapad 3-14Alc6 Firmware	< glcn43ww
Lenovo	Ideapad 3-14Alc6	-
Lenovo	Ideapad 3-14Are05 Firmware	< dzcn42ww
Lenovo	Ideapad 3-14Are05	-
Lenovo	Ideapad 3-15Ada6 Firmware	< hbcn21ww
Lenovo	Ideapad 3-15Ada6	-
Lenovo	Ideapad 3-15Alc6 Firmware	< glcn43ww
Lenovo	Ideapad 3-15Alc6	-
Lenovo	Ideapad 3-15Are05 Firmware	< dzcn42ww
Lenovo	Ideapad 3-15Are05	-
Lenovo	Ideapad 3-15Igl05 Firmware	< dvcn23ww
Lenovo	Ideapad 3-15Igl05	-
Lenovo	Ideapad 3-17Ada05 Firmware	< e8cn33ww
Lenovo	Ideapad 3-17Ada05	-
Lenovo	Ideapad 3-17Ada6 Firmware	< hbcn21ww
Lenovo	Ideapad 3-17Ada6	-

Related Weaknesses (CWE)

CWE-489

References

https://support.lenovo.com/us/en/product_security/LEN-73440Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-73440Vendor Advisory

FAQ

What is CVE-2021-3972?

CVE-2021-3972 is a vulnerability with a CVSS score of 6.7 (MEDIUM). A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privilege...

How severe is CVE-2021-3972?

CVE-2021-3972 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3972?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Ideapad 3-14Ada05 Firmware, Lenovo Ideapad 3-14Ada05, Lenovo Ideapad 3-14Ada6 Firmware, Lenovo Ideapad 3-14Ada6, Lenovo Ideapad 3-14Alc6 Firmware.