|
[Japanese]
|
JVNDB-2019-000071
|
STAMP Workbench installer may insecurely load Dynamic Link Libraries
|
|
STAMP Workbench is a modeling tool for STAMP provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA). It is distirbuted as a ZIP archive or an Windows executable installer.
The Windows executable installer contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Yuji Tonai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
|
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
- STAMP Workbench installer
|
|
|
Arbitrary code may be executed with the privileges of the user invoking the installer.
|
|
[Do not use the installer]
When installing the software for the first time, be sure to install it from a ZIP format archive.
IPA states that the distribution of the Windows executable installer has been stopped.
Note that this vulnerability affects the installer only, the application itself is not vulnerable.
|
|
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2019-6019
|
|
- JVN : JVNTA#91240916
- JVN : JVN#19386781
- National Vulnerability Database (NVD) : CVE-2019-6019
|
|
- [2019/11/27]
Web page was published
|
