[Japanese]

JVNDB-2016-002298

Keitai Kit for Movable Type vulnerable to OS command injection

Overview

Keitai Kit for Movable Type contains an OS command injection vulnerability.

Keitai Kit for Movable Type provided by ideaman's Inc. contains an OS command injection vulnerability (CWE-78).

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
http://cwe.mitre.org/data/definitions/78.html

Attacks in the wild leveraging this vulnerability have been confirmed.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


ideaman's Inc.
  • KEITAi KIT for Movable Type 1.35 through 1.641

Impact

An arbitrary OS command may be executed on the server where the product is running.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
According to the developer, users of Keitai Kit for Movable Type 1.35 through 1.63 need to rebuild the website and the blog after applying the update.

[Apply the Patch]
Until an update can be applied, apply the appropriate patch according to the information provided by the developer.
Vendor Information

ideaman's Inc.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-1204
References

  1. JVN : JVNVU#92116866
  2. JPCERT : Some coordinated vulnerability disclosures in April 2016
Revision History

  • [2016/12/05]
      Web page was published

Date Public2016/05/16
Date First Published2016/12/05
Date Last Updated2016/12/05