ThinkPad L390 Yoga Vulnerability Could Lead to Privilege Escalation

CVE-2024-7756

6.8MEDIUM

Key Information

Vendor: Lenovo
Status: 10w (type 82st, 82su) Laptop (lenovo) BiOS; L390 (type 20nr, 20ns) Laptops (thinkpad) BiOS; L390 Yoga (type 20nt, 20nu) Laptops (thinkpad) BiOS
Vendor: CVE Published:; 13 September 2024

Summary

A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell.

Affected Version(s)

10w (Type 82ST, 82SU) Laptop (Lenovo) BIOS < 0

L390 (type 20NR, 20NS) Laptops (ThinkPad) BIOS < 1.47

L390 Yoga (type 20NT, 20NU) Laptops (ThinkPad) BIOS < 1.47

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Sep 13, 2024
Vulnerability Reserved.
Aug 13, 2024

Collectors

NVD DatabaseMitre Database

Credit

Lenovo thanks Warren Togami for reporting this issue.