Multiple vulnerabilities in Lenovo Vantage
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-8316 CVE-2020-8327 CVE-2020-8318 |
| CWE-ID | CWE-200 CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Vantage Client/Desktop applications / Other client software Lenovo System Interface Foundation Other software / Other software solutions |
| Vendor | Lenovo |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU27000
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-8316
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to an unspecified error. A local user can read files on the system with elevated privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVantage: before 10.2003.10.0
CPE2.3 External linkshttps://support.lenovo.com/us/en/product_security/LEN-30401
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU27004
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-8327
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper privilege management in LenovoBatteryGaugePackage for Lenovo System Interface Foundation component for Lenovo Vantage. A local user can execute arbitrary code on the target system with elevated privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsLenovo System Interface Foundation: All versions
Vantage: before 10.2003.10.0
CPE2.3- cpe:2.3:a:lenovo:lenovo_system_interface_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:a:lenovo:vantage:*:*:*:*:*:*:*:*
https://support.lenovo.com/us/en/product_security/LEN-30401
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU27002
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-8318
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper privilege management in the LenovoSystemUpdatePlugin for Lenovo System Interface Foundation component for Lenovo Vantage. A local user can execute arbitrary code with elevated privileges.
MitigationVendor recommends to update Lenovo Vantage to version 10.2003.10.0
Vulnerable software versionsLenovo System Interface Foundation: All versions
Vantage: before 10.2003.10.0
CPE2.3- cpe:2.3:a:lenovo:lenovo_system_interface_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:a:lenovo:vantage:*:*:*:*:*:*:*:*
https://support.lenovo.com/us/en/product_security/LEN-30401
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
