JVNDB-2020-000032

Panasonic Video Insight VMS vulnerable to arbitrary code execution

Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability (CWE-94).

Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.

Panasonic Corporation

• Video Insight VMS versions prior to 7.6.1

For the details of the mitigations, refer to the information provided by the developer.

[2020/06/25 Update]
When this advisory was first published on 2020 May 19, the affected version was described as "7.5 and earlier". However, the developer found that the fix was not adequate in version 7.6, thus version 7.6.1 that contains the fix was released later.

An arbitrary code may be executed by a remote attacker.

[Update the software]
Update the software to the latest version according to the information provided by the developer.

[2020/06/25 Update]
When this advisory was first published on 2020 May 19, the affected version was described as "7.5 and earlier". However, the developer found that the fix was not adequate in version 7.6, thus version 7.6.1 that contains the fix was released later.

Panasonic Corporation

• Panasonic : Downloadvi - IP Server
• Panasonic : Release Notes - Video Insight IP Server 7.6.1 Maintenance Release

1. Code Injection(CWE-94) [IPA Evaluation]

1. CVE-2019-5997

1. JVN : JVN#96646182
2. National Vulnerability Database (NVD) : CVE-2019-5997

• [2020/05/19]
    Web page was published
• [2020/06/25]
    Affected Products were modified
    Solution was modified
    Vendor Information was modified