CVE-2023-5081: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere in Lenovo Tablet
An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier.
AI Analysis
Technical Summary
CVE-2023-5081 is an information disclosure vulnerability identified in the Lenovo Tab M8 HD tablet series. The vulnerability allows a local application with limited privileges (low-level privileges) to access a non-resettable device identifier. This identifier is persistent and unique to the device, and its exposure can lead to privacy concerns and potential device tracking. The vulnerability falls under CWE-497, which pertains to the exposure of sensitive system information to an unauthorized control sphere. The attack vector requires local access, meaning the attacker must have the ability to execute code or install an application on the device. No user interaction is required once the application is installed, and the vulnerability does not affect the confidentiality, integrity, or availability of the system beyond the leakage of this identifier. The CVSS v3.1 base score is 3.3, indicating a low severity level, primarily due to the limited impact and the requirement for local privileges. There are no known exploits in the wild, and no patches have been linked or published at the time of this report. The vulnerability affects various versions of the Lenovo Tab M8 HD, but specific version details are not provided.
Potential Impact
For European organizations, the primary impact of this vulnerability is related to privacy and device tracking risks rather than direct compromise of sensitive corporate data or operational disruption. If corporate-issued Lenovo Tab M8 HD devices are used within an organization, a malicious local application could potentially track devices persistently or correlate device usage across different applications or services, undermining user privacy and potentially violating GDPR regulations concerning personal data protection. Although the vulnerability does not allow remote exploitation or direct data theft, the exposure of a non-resettable device identifier could facilitate profiling or targeted attacks if combined with other vulnerabilities or social engineering. The risk is higher in environments where devices are shared or where users may install untrusted applications. However, the overall operational impact on European enterprises is expected to be low given the local access requirement and limited scope of the vulnerability.
Mitigation Recommendations
To mitigate this vulnerability effectively, organizations should: 1) Enforce strict application installation policies on Lenovo Tab M8 HD devices, allowing only trusted and vetted applications to be installed, preferably through managed app stores or enterprise mobility management (EMM) solutions. 2) Implement device usage policies that restrict local user privileges and prevent installation of unauthorized software. 3) Monitor device behavior for unusual access patterns to device identifiers or other sensitive information. 4) Educate users about the risks of installing untrusted applications and the importance of device hygiene. 5) Regularly check for firmware and software updates from Lenovo and apply patches promptly once available. 6) Consider deploying endpoint detection and response (EDR) tools capable of detecting suspicious local application activities on tablets. These steps go beyond generic advice by focusing on controlling local application installation and monitoring device-specific behaviors relevant to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2023-5081: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere in Lenovo Tablet
Description
An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier.
AI-Powered Analysis
Technical Analysis
CVE-2023-5081 is an information disclosure vulnerability identified in the Lenovo Tab M8 HD tablet series. The vulnerability allows a local application with limited privileges (low-level privileges) to access a non-resettable device identifier. This identifier is persistent and unique to the device, and its exposure can lead to privacy concerns and potential device tracking. The vulnerability falls under CWE-497, which pertains to the exposure of sensitive system information to an unauthorized control sphere. The attack vector requires local access, meaning the attacker must have the ability to execute code or install an application on the device. No user interaction is required once the application is installed, and the vulnerability does not affect the confidentiality, integrity, or availability of the system beyond the leakage of this identifier. The CVSS v3.1 base score is 3.3, indicating a low severity level, primarily due to the limited impact and the requirement for local privileges. There are no known exploits in the wild, and no patches have been linked or published at the time of this report. The vulnerability affects various versions of the Lenovo Tab M8 HD, but specific version details are not provided.
Potential Impact
For European organizations, the primary impact of this vulnerability is related to privacy and device tracking risks rather than direct compromise of sensitive corporate data or operational disruption. If corporate-issued Lenovo Tab M8 HD devices are used within an organization, a malicious local application could potentially track devices persistently or correlate device usage across different applications or services, undermining user privacy and potentially violating GDPR regulations concerning personal data protection. Although the vulnerability does not allow remote exploitation or direct data theft, the exposure of a non-resettable device identifier could facilitate profiling or targeted attacks if combined with other vulnerabilities or social engineering. The risk is higher in environments where devices are shared or where users may install untrusted applications. However, the overall operational impact on European enterprises is expected to be low given the local access requirement and limited scope of the vulnerability.
Mitigation Recommendations
To mitigate this vulnerability effectively, organizations should: 1) Enforce strict application installation policies on Lenovo Tab M8 HD devices, allowing only trusted and vetted applications to be installed, preferably through managed app stores or enterprise mobility management (EMM) solutions. 2) Implement device usage policies that restrict local user privileges and prevent installation of unauthorized software. 3) Monitor device behavior for unusual access patterns to device identifiers or other sensitive information. 4) Educate users about the risks of installing untrusted applications and the importance of device hygiene. 5) Regularly check for firmware and software updates from Lenovo and apply patches promptly once available. 6) Consider deploying endpoint detection and response (EDR) tools capable of detecting suspicious local application activities on tablets. These steps go beyond generic advice by focusing on controlling local application installation and monitoring device-specific behaviors relevant to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- lenovo
- Date Reserved
- 2023-09-19T21:01:59.167Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6839c41d182aa0cae2b43592
Added to database: 5/30/2025, 2:43:41 PM
Last enriched: 7/8/2025, 4:39:37 PM
Last updated: 8/15/2025, 12:05:39 PM
Views: 13
Related Threats
CVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
MediumCVE-2025-7499: CWE-862 Missing Authorization in wpdevteam BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
MediumCVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumCVE-2025-8089: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mdempfle Advanced iFrame
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.