[Japanese]
|
JVNDB-2017-000169
|
Installers of Lhaz and Lhaz+, and Self-Extracting Archives created by Lhaz or Lhaz+ may insecurely load Dynamic Link Libraries
|
Lhaz and Lhaz+ provided by Chitora soft contain the following vulnerabilities.
* Installers of Lhaz and Lhaz+ insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2246, CVE-2017-2248
* Self-extracting archive files created by Lhaz or Lhaz+ insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2247, CVE-2017-2249
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 7.8 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2017-2246
|
|
chitora
- Lhaz version 2.4.0 and earlier (installer) - CVE-2017-2246
- Lhaz version 2.4.0 and earlier (Self-extracting archive files created) - CVE-2017-2247
- Lhaz+ version 3.4.0 and earlier (installer) - CVE-2017-2248
- Lhaz+ version 3.4.0 and earlier (Self-extracting archive files created) - CVE-2017-2249
|
|
Arbitrary code may be executed with the privilege of the user invoking the installer. - CVE-2017-2246, CVE-2017-2248
Arbitrary code may be executed with the privilege of the user invoking the self-extracting archive file. - CVE-2017-2247, CVE-2017-2249
|
[Update the software]
Update to the latest version according to the information provided by the developer.
|
chitora
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2017-2246
- CVE-2017-2247
- CVE-2017-2248
- CVE-2017-2249
|
- JVN : JVNTA#91240916
- JVN : JVN#21369452
- National Vulnerability Database (NVD) : CVE-2017-2246
- National Vulnerability Database (NVD) : CVE-2017-2247
- National Vulnerability Database (NVD) : CVE-2017-2248
- National Vulnerability Database (NVD) : CVE-2017-2249
|
- [2017/07/07]
Web page was published
[2017/07/11]
Affected Products : Product version was modified
[2018/02/07]
References : Contents were added
|