{ "CVE_data_meta": { "ASSIGNER": "PSIRT@synaptics.com", "DATE_PUBLIC": "2022-06-14T22:44:00.000Z", "ID": "CVE-2021-3675", "STATE": "PUBLIC", "TITLE": "synaTEE.signed.dll Out-Of-Bounds Heap Write" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Synaptics Fingerprint Driver", "version": { "version_data": [ { "platform": "x86/64", "version_affected": "<", "version_name": "5.1.xxx.26", "version_value": "xxx=340" }, { "platform": "x86/64", "version_affected": "<", "version_name": "5.2.xxxx.26", "version_value": "xxxx=3541" }, { "platform": "x86/64", "version_affected": "<", "version_name": "5.2.2xx.26", "version_value": "xx=29" }, { "platform": "x86/64", "version_affected": "<", "version_name": "5.2.3xx.26", "version_value": "xx=25" }, { "platform": "x86/64", "version_affected": "<", "version_name": "5.3.xxxx.26", "version_value": "xxxx=3543" }, { "platform": "x86/64", "version_affected": "<", "version_name": "5.5.xx.1058", "version_value": "xx=44" }, { "platform": "x86/64", "version_affected": "<", "version_name": "5.5.xx.1102", "version_value": "xx=34" }, { "platform": "x86/64", "version_affected": "<", "version_name": "5.5.xx.1116", "version_value": "xx=14" }, { "platform": "x86/64", "version_affected": "<", "version_name": "6.0.xx.1104", "version_value": "xx=50" }, { "platform": "x86/64", "version_affected": "<", "version_name": "6.0.xx.1108", "version_value": "xx=31" }, { "platform": "x86/64", "version_affected": "<", "version_name": "6.0.xx.1111", "version_value": "xx=58" } ] } } ] }, "vendor_name": "Synaptics" } ] } }, "credit": [ { "lang": "eng", "value": "Synaptics would like to thank Tobias Cloosters and Johannes Willbold for reporting this issue. " } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Improper Input Validation vulnerability in synaTEE.signed.dll of Synaptics Fingerprint Driver allows a local authorized attacker to overwrite a heap tag, with potential loss of confidentiality. This issue affects: Synaptics Synaptics Fingerprint Driver 5.1.xxx.26 versions prior to xxx=340 on x86/64; 5.2.xxxx.26 versions prior to xxxx=3541 on x86/64; 5.2.2xx.26 versions prior to xx=29 on x86/64; 5.2.3xx.26 versions prior to xx=25 on x86/64; 5.3.xxxx.26 versions prior to xxxx=3543 on x86/64; 5.5.xx.1058 versions prior to xx=44 on x86/64; 5.5.xx.1102 versions prior to xx=34 on x86/64; 5.5.xx.1116 versions prior to xx=14 on x86/64; 6.0.xx.1104 versions prior to xx=50 on x86/64; 6.0.xx.1108 versions prior to xx=31 on x86/64; 6.0.xx.1111 versions prior to xx=58 on x86/64." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-20 Improper Input Validation" } ] } ] }, "references": { "reference_data": [ { "name": "https://synaptics.com/sites/default/files/2022-06/fingerprint-driver-SGX-security-brief-2022-06-14.pdf", "refsource": "CONFIRM", "url": "https://synaptics.com/sites/default/files/2022-06/fingerprint-driver-SGX-security-brief-2022-06-14.pdf" }, { "name": "https://support.lenovo.com/us/en/product_security/LEN-68054", "refsource": "MISC", "url": "https://support.lenovo.com/us/en/product_security/LEN-68054" }, { "name": "https://support.hp.com/us-en/document/ish_6411153-6411191-16/hpsbhf03797", "refsource": "MISC", "url": "https://support.hp.com/us-en/document/ish_6411153-6411191-16/hpsbhf03797" } ] }, "solution": [ { "lang": "eng", "value": "Listed drivers and above have additional input validation. " } ], "source": { "discovery": "EXTERNAL" } }