[Japanese]

JVNDB-2019-000052

ApeosWare Management Suite and ApeosWare Management Suite 2 contain open redirect vulnerability

Overview

ApeosWare Management Suite and ApeosWare Management Suite 2 provided by Fuji Xerox Co.,Ltd. are software products to manage devices and their usages; providing authentication, printing, log accounting, and document distribution.
These software products contain an open redirect vulnerability (CWE-601).

KOBAYASHI Haruki of Cryptography Laboratory, Department of Information and Communication Engineering, Graduate School of Tokyo Denki University and NAKAMURA Dai of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.7 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Fuji Xerox Co., Ltd.
  • ApeosWare Management Suite Ver.1.4.0.18 and earlier
  • ApeosWare Management Suite 2 Ver.2.1.2.4 and earlier

Impact

The user may be redirected to an arbitrary website when logging in to the product via a crafted URL or accessing a specially crafted URL while logged in to the product.
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
Vendor Information

Fuji Xerox Co., Ltd.
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-6004
References

  1. JVN : JVN#07679150
  2. National Vulnerability Database (NVD) : CVE-2019-6004
Revision History

  • [2019/08/15]
      Web page was published
  • [2019/10/04]
      References : Content was added
  • [2021/04/12]
      Vendor Information : The hyperlink URL was updated

Date Public2019/08/15
Date First Published2019/08/15
Date Last Updated2021/04/12