[Japanese]
|
JVNDB-2024-000028
|
Multiple vulnerabilities in SKYSEA Client View
|
SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool.
SKYSEA Client View contains multiple vulnerabilities listed below.
* Improper access control in the specific folder (CWE-284) - CVE-2024-21805
* Improper access control in the resident process (CWE-284) - CVE-2024-24964
CVE-2024-21805
Ken Kitahara of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-24964
Ruslan Sayfiev, and Denis Faiustov of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Sky Co.,LTD. and coordinated. Sky Co.,LTD. and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
|
CVSS V3 Severity: Base Metrics 7.8 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Local
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2024-24964
|
CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.7 (Low) [IPA Score]
- Access Vector: Local
- Access Complexity: Low
- Authentication: Single
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-21805
|
|
Sky Co., LTD.
- SKYSEA Client View versions from Ver.16.100 prior to Ver.19.2
- SKYSEA Client View versions from Ver.11.220 prior to Ver.19.2
|
|
* An arbitrary file may be placed in the specific folder by a user who can log in to the PC where the product's Windows client is installed. In case the file is a specially crafted DLL file, arbitrary code may be executed with SYSTEM privilege - CVE-2024-21805
* An arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed - CVE-2024-24964
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.19.2 that addresses these vulnerabilities.
[Apply the patch]
For SKYSEA Client View Ver.17.0 to Ver.19.101, the developer has released patches that contain fixes for these vulnerabilities.
For more details, refer to the information provided by the developer.
|
Sky Co., LTD.
|
- Permissions(CWE-264) [IPA Evaluation]
|
- CVE-2024-21805
- CVE-2024-24964
|
- JVN : JVN#54451757
|
- [2024/03/07]
Web page was published
|