[Japanese]

JVNDB-2017-009884

QND Advance/Standard vulnerable to directory traversal

Overview

QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability.

QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability (CWE-22) in an administrative server due to the issue in processing input from an agent program.
An administrative server does not require authentication in the communication between a server and an agent program either, therefore an arbitrary request from an arbitrary device with access to an administrative server can be sent and processed.

Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

Base Metrics: 9.4 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: None

CVSS V3 Severity:
Base Metrics: 9.1 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None
Affected Products


QualitySoft Corporation
  • QND Advance/Standard all versions

Impact

If an administrative server processes a specially crafted command, an arbitrary file in the administrative server may be obtained or altered.
Solution

[Update the Software]
Apply the latest update according to the information provided by the developer.
Vendor Information

QualitySoft Corporation
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10861
References

  1. JVN : JVNVU#94198685
Revision History

[2017/11/28]
  Web page was published