[Japanese]

JVNDB-2020-000032

Panasonic Video Insight VMS vulnerable to arbitrary code execution

Overview

Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability (CWE-94).

Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Panasonic Corporation
  • Video Insight VMS versions prior to 7.6.1

For the details of the mitigations, refer to the information provided by the developer.

[2020/06/25 Update]
When this advisory was first published on 2020 May 19, the affected version was described as "7.5 and earlier". However, the developer found that the fix was not adequate in version 7.6, thus version 7.6.1 that contains the fix was released later.
Impact

An arbitrary code may be executed by a remote attacker.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.

[2020/06/25 Update]
When this advisory was first published on 2020 May 19, the affected version was described as "7.5 and earlier". However, the developer found that the fix was not adequate in version 7.6, thus version 7.6.1 that contains the fix was released later.
Vendor Information

Panasonic Corporation
CWE (What is CWE?)

  1. Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-5997
References

  1. JVN : JVN#96646182
  2. National Vulnerability Database (NVD) : CVE-2019-5997
Revision History

  • [2020/05/19]
      Web page was published
  • [2020/06/25]
      Affected Products were modified
      Solution was modified
      Vendor Information was modified