CVE-2017-3757

An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges.

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-14390	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:emc:elan_touchpad_driver:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-08-29 01:35

Updated : 2017-09-12 15:49

NVD link : CVE-2017-3757

Mitre link : CVE-2017-3757

CVE.ORG link : CVE-2017-3757

JSON object : View

Products Affected

emc

elan_touchpad_driver

CWE

CWE-428

Unquoted Search Path or Element

{"id": "CVE-2017-3757", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2017-08-29T01:35:13.797", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-14390", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@lenovo.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-428"}]}], "descriptions": [{"lang": "en", "value": "An unquoted service path vulnerability was identified in the driver for the ElanTech Touchpad, various versions, used on some Lenovo brand notebooks (not ThinkPads). This could allow an attacker with local privileges to execute code with administrative privileges."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de ruta de b\u00fasqueda sin entrecomillar en el controlador para ElanTech Touchpad en varias versiones que se emplea en varios notebooks de la marca Lenovo (excepto ThinkPads). Esto podr\u00eda permitir que un atacante con privilegios locales ejecutase c\u00f3digo con privilegios administrativos."}], "lastModified": "2017-09-12T15:49:33.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emc:elan_touchpad_driver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1805E22D-3BC8-4C10-BF1C-15ACDF56CB04", "versionEndIncluding": "11.4.1.6"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@lenovo.com"}