ChaSen vulnerable to buffer overflow


ChaSen provided by Nara Institute of Science and Technology contains a buffer overflow vulnerability.

ChaSen provided by Nara Institute of Science and Technology is a software for morphologically analyzing Japanese. ChaSen contains an issue when reading in strings, which may lead to a buffer overflow.

ChaSen legacy project has inherited development of ChaSen since 11/8/2011.

Kenji Aiko of NetAgent Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Nara Institute of Science and Technology
  • ChaSen version 2.4.4 and earlier
  • ChaSen version 2.3.3 and earlier

Products that use the above versions of ChaSen are vulnerable.

An arbitrary script may be executed by an attacker with access to a system that is running a product listed in "Products Affected."

[Apply a patch]
Apply a patch according to the information provided by ChaSen legacy project.
Vendor Information

Nara Institute of Science and Technology
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-4000

  1. JVN : JVN#16901583
  2. National Vulnerability Database (NVD) : CVE-2011-4000
Revision History

  • [2011/11/08]
      Web page published
      Overview : Contents was changed
      Affected Products : Contents was changed
      Vendor Information : Contents was added
      Solution : Contents was changed