[Japanese]

JVNDB-2011-000099

ChaSen vulnerable to buffer overflow

Overview

ChaSen provided by Nara Institute of Science and Technology contains a buffer overflow vulnerability.

ChaSen provided by Nara Institute of Science and Technology is a software for morphologically analyzing Japanese. ChaSen contains an issue when reading in strings, which may lead to a buffer overflow.

ChaSen legacy project has inherited development of ChaSen since 11/8/2011.

Kenji Aiko of NetAgent Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Nara Institute of Science and Technology
  • ChaSen version 2.4.4 and earlier
  • ChaSen version 2.3.3 and earlier

Products that use the above versions of ChaSen are vulnerable.
Impact

An arbitrary script may be executed by an attacker with access to a system that is running a product listed in "Products Affected."
Solution

[Apply a patch]
Apply a patch according to the information provided by ChaSen legacy project.
Vendor Information

Nara Institute of Science and Technology
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-4000
References

  1. JVN : JVN#16901583
  2. National Vulnerability Database (NVD) : CVE-2011-4000
Revision History

[2011/11/08]
  Web page published
[2011/12/20]
  Overview : Contents was changed
  Affected Products : Contents was changed
  Vendor Information : Contents was added
  Solution : Contents was changed