Information Disclosure in Lenovo Personal Cloud Storage Devices
CVE-2021-42848

4.3MEDIUM

Key Information:

Vendor: Lenovo
Status: Personal Cloud Storage A1; Personal Cloud Storage T1; Personal Cloud Storage X1; Personal Cloud Storage T2
Vendor: CVE Published:; 18 May 2022

Summary

An information disclosure vulnerability exists in specific Lenovo Personal Cloud Storage devices, enabling unauthenticated users to access sensitive device and network information. This vulnerability poses a significant risk, as it allows potential attackers to acquire details about the device configuration and networking environment, which can be leveraged for further malicious activities.

Affected Version(s)

Personal Cloud Storage A1 < 5.3.6.a1

Personal Cloud Storage T1 < 5.3.6.t1

Personal Cloud Storage T2 < 5.3.8.t2

References

https://iknow.lenovo.com.cn/detail/dc_200017.html

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 18, 2022
Vulnerability Reserved
Oct 22, 2021

Credit

Lenovo thanks Kais and KT of 360 Vulcan Team for reporting these issues.