CVE-2017-3742

In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems.

CVSS v3 4.8 MEDIUM
CVSS v2.0 2.3 LOW

4.8^/10

CVSS v3 : MEDIUM

Vector : AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 1.2 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 4.4 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-14398	Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-14398	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:26

Type	Values Removed	Values Added
References	~~() https://support.lenovo.com/us/en/product_security/LEN-14398 - Vendor Advisory~~	() https://support.lenovo.com/us/en/product_security/LEN-14398 - Vendor Advisory

Information

Published : 2017-07-17 19:29

Updated : 2024-11-21 03:26

NVD link : CVE-2017-3742

Mitre link : CVE-2017-3742

CVE.ORG link : CVE-2017-3742

JSON object : View

Products Affected

google

android

microsoft

windows

lenovo

connect2

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2017-3742", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 4.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2017-07-17T19:29:00.277", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-14398", "tags": ["Vendor Advisory"], "source": "psirt@lenovo.com"}, {"url": "https://support.lenovo.com/us/en/product_security/LEN-14398", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems."}, {"lang": "es", "value": "En las versiones de Lenovo Connect2 anteriores a 4.2.5.4885 para Windows y versi\u00f3n 4.2.5.3071 para Android, cuando una conexi\u00f3n ad-hoc se realiza entre dos sistemas con el fin de compartir archivos, la contrase\u00f1a de esta conexi\u00f3n ad-hoc ser\u00e1 almacenada en una ubicaci\u00f3n legible por el usuario. Un atacante con acceso de lectura al contenido del usuario podr\u00eda conectarse al punto de acceso Connect2 y visualizar el contenido de los archivos mientras estos son transferidos entre los dos sistemas."}], "lastModified": "2024-11-21T03:26:02.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D397211-B783-40B4-83C7-C01825D6C112", "versionEndIncluding": "4.2.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:connect2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D397211-B783-40B4-83C7-C01825D6C112", "versionEndIncluding": "4.2.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8255F035-04C8-4158-B301-82101711939C"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@lenovo.com"}