CVE-2024-5474

A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package. Previously installed versions are not affected by this issue.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-158394	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lenovo:dolby_vision_provisioning:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-10-11 16:15

Updated : 2024-11-15 17:00

NVD link : CVE-2024-5474

Mitre link : CVE-2024-5474

CVE.ORG link : CVE-2024-5474

JSON object : View

Products Affected

lenovo

dolby_vision_provisioning

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2024-5474", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@lenovo.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-10-11T16:15:14.440", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-158394", "tags": ["Vendor Advisory"], "source": "psirt@lenovo.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@lenovo.com", "description": [{"lang": "en", "value": "CWE-276"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "A potential information disclosure vulnerability was reported in Lenovo's packaging of Dolby Vision Provisioning software prior to version 2.0.0.2 that could allow a local attacker to read files on the system with elevated privileges during installation of the package. Previously installed versions are not affected by this issue."}, {"lang": "es", "value": "Se inform\u00f3 de una posible vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en el paquete de software Dolby Vision Provisioning de Lenovo anterior a la versi\u00f3n 2.0.0.2 que podr\u00eda permitir que un atacante local lea archivos en el sistema con privilegios elevados durante la instalaci\u00f3n del paquete. Las versiones instaladas anteriormente no se ven afectadas por este problema."}], "lastModified": "2024-11-15T17:00:35.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:dolby_vision_provisioning:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A189EC9-ED49-4291-95E9-2F5BE2CB6595", "versionEndExcluding": "2.0.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@lenovo.com"}