CVE-2021-42849

Published: May 18, 2022Modified: Nov 21, 2024

6.8

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 5.9

Source: NVD

Description

A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access.

Affected (5)

Products: Lenovo: A1 Firmware, T1 Firmware, X1 Firmware, T2 Firmware, T2pro Firmware

5 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo A1 Firmware	Before 5.3.6.a1

Running on/with	Platform Versions
Lenovo A1	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo T1 Firmware	Before 5.3.6.t1

Running on/with	Platform Versions
Lenovo T1	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo X1 Firmware	Before 5.3.8.x1

Running on/with	Platform Versions
Lenovo X1	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo T2 Firmware	Before 5.3.8.t2

Running on/with	Platform Versions
Lenovo T2	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lenovo T2pro Firmware	Before 5.3.7.t2-pro

Running on/with	Platform Versions
Lenovo T2pro	All versions

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

https://iknow.lenovo.com.cn/detail/dc_200017.html

Source: psirt@lenovo.com

Vendor Advisory

https://iknow.lenovo.com.cn/detail/dc_200017.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.