CVE-2022-3431 — MEDIUM (6.7)

Q: How severe is CVE-2022-3431?

CVE-2022-3431 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-3431?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Ideapad Creator 5-16Ach6 Firmware, Lenovo Ideapad Creator 5-16Ach6, Lenovo Ideapad 5 Pro-16Ihu6 Firmware, Lenovo Ideapad 5 Pro-16Ihu6, Lenovo Ideapad 5 Pro-16Ach6 Firmware.

Vulnerability Description

A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

CVSS Score

6.7

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lenovo	Ideapad Creator 5-16Ach6 Firmware	< gscn34ww
Lenovo	Ideapad Creator 5-16Ach6	-
Lenovo	Ideapad 5 Pro-16Ihu6 Firmware	< grcn22ww
Lenovo	Ideapad 5 Pro-16Ihu6	-
Lenovo	Ideapad 5 Pro-16Ach6 Firmware	< gscn34ww
Lenovo	Ideapad 5 Pro-16Ach6	-
Lenovo	Yoga Slim 7-13Itl05 Firmware	< f7cn39ww
Lenovo	Yoga Slim 7-13Itl05	-
Lenovo	Yoga Slim 7-13Acn05 Firmware	< ghcn28ww
Lenovo	Yoga Slim 7-13Acn05	-
Lenovo	Yoga Slim 7 Pro 16Arh7 Firmware	< klcn15ww
Lenovo	Yoga Slim 7 Pro 16Arh7	-
Lenovo	Yoga Slim 7 Pro 16Ach6 Firmware	< hucn16ww
Lenovo	Yoga Slim 7 Pro 16Ach6	-
Lenovo	Yoga Slim 7 Carbon 13Itl5 Firmware	< f7cn39ww
Lenovo	Yoga Slim 7 Carbon 13Itl5	-
Lenovo	Yoga Duet 7-13Itl6-Lte Firmware	< gpcn24ww
Lenovo	Yoga Duet 7-13Itl6-Lte	-
Lenovo	Yoga Duet 7-13Itl6 Firmware	< gpcn24ww
Lenovo	Yoga Duet 7-13Itl6	-

Related Weaknesses (CWE)

CWE-276

References

https://support.lenovo.com/us/en/product_security/LEN-94952Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-94952Vendor Advisory

FAQ

What is CVE-2022-3431?

CVE-2022-3431 is a vulnerability with a CVSS score of 6.7 (MEDIUM). A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to m...

How severe is CVE-2022-3431?

CVE-2022-3431 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-3431?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Ideapad Creator 5-16Ach6 Firmware, Lenovo Ideapad Creator 5-16Ach6, Lenovo Ideapad 5 Pro-16Ihu6 Firmware, Lenovo Ideapad 5 Pro-16Ihu6, Lenovo Ideapad 5 Pro-16Ach6 Firmware.