Skip to main content

CVE-2023-5081: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere in Lenovo Tablet

Low
VulnerabilityCVE-2023-5081cvecve-2023-5081cwe-497
Published: Fri Jan 19 2024 (01/19/2024, 20:07:36 UTC)
Source: CVE Database V5
Vendor/Project: Lenovo
Product: Tablet

Description

An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier.

AI-Powered Analysis

AILast updated: 07/08/2025, 16:39:37 UTC

Technical Analysis

CVE-2023-5081 is an information disclosure vulnerability identified in the Lenovo Tab M8 HD tablet series. The vulnerability allows a local application with limited privileges (low-level privileges) to access a non-resettable device identifier. This identifier is persistent and unique to the device, and its exposure can lead to privacy concerns and potential device tracking. The vulnerability falls under CWE-497, which pertains to the exposure of sensitive system information to an unauthorized control sphere. The attack vector requires local access, meaning the attacker must have the ability to execute code or install an application on the device. No user interaction is required once the application is installed, and the vulnerability does not affect the confidentiality, integrity, or availability of the system beyond the leakage of this identifier. The CVSS v3.1 base score is 3.3, indicating a low severity level, primarily due to the limited impact and the requirement for local privileges. There are no known exploits in the wild, and no patches have been linked or published at the time of this report. The vulnerability affects various versions of the Lenovo Tab M8 HD, but specific version details are not provided.

Potential Impact

For European organizations, the primary impact of this vulnerability is related to privacy and device tracking risks rather than direct compromise of sensitive corporate data or operational disruption. If corporate-issued Lenovo Tab M8 HD devices are used within an organization, a malicious local application could potentially track devices persistently or correlate device usage across different applications or services, undermining user privacy and potentially violating GDPR regulations concerning personal data protection. Although the vulnerability does not allow remote exploitation or direct data theft, the exposure of a non-resettable device identifier could facilitate profiling or targeted attacks if combined with other vulnerabilities or social engineering. The risk is higher in environments where devices are shared or where users may install untrusted applications. However, the overall operational impact on European enterprises is expected to be low given the local access requirement and limited scope of the vulnerability.

Mitigation Recommendations

To mitigate this vulnerability effectively, organizations should: 1) Enforce strict application installation policies on Lenovo Tab M8 HD devices, allowing only trusted and vetted applications to be installed, preferably through managed app stores or enterprise mobility management (EMM) solutions. 2) Implement device usage policies that restrict local user privileges and prevent installation of unauthorized software. 3) Monitor device behavior for unusual access patterns to device identifiers or other sensitive information. 4) Educate users about the risks of installing untrusted applications and the importance of device hygiene. 5) Regularly check for firmware and software updates from Lenovo and apply patches promptly once available. 6) Consider deploying endpoint detection and response (EDR) tools capable of detecting suspicious local application activities on tablets. These steps go beyond generic advice by focusing on controlling local application installation and monitoring device-specific behaviors relevant to this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
lenovo
Date Reserved
2023-09-19T21:01:59.167Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839c41d182aa0cae2b43592

Added to database: 5/30/2025, 2:43:41 PM

Last enriched: 7/8/2025, 4:39:37 PM

Last updated: 8/16/2025, 7:33:46 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats