PALLET CONTROL vulnerable to arbitrary code execution


PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission (CWE-284).

Yoshimasa Obana reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

JAL Information Technology Co,. Ltd
  • PALLET CONTROL Ver. 6.3 and earlier

According to the developer, PalletControl 7 to 9.1 are not affected by this vulnerability. However under the environment where PLS Management Add-on Module is used, all versions are affected.

A user who can login to the computer where the vulnerable product is installed may execute arbitrary code with SYSTEM privilege.

[Apply the Patch]
Apply the patch according to the information provided by the developer.

According to the developer, users of PALLET CONTROL Ver. 6.2 and earlier must first update PALLET CONTROL to Ver. 6.3 and then apply the patch.
Vendor Information

JAL Information Technology Co,. Ltd
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5538

  1. JVN : JVN#61849442
Revision History

  • [2020/05/11]
      Web page was published
  • [2020/05/14]
      CVSSv2 was modified