[Japanese]

JVNDB-2020-000034

Cybozu Desktop for Windows vulenerable to arbitrary code execution

Overview

Cybozu Desktop for Windows provided by Cybozu, Inc. contains an arbitrary code execution vulnerability due to the improper data processing when applying the software update.

Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to Cybozu, Inc. and coordinated. Cybozu, Inc. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Cybozu, Inc.
  • Cybozu Desktop for Windows 2.0.23 to 2.2.40

Impact

A remote attacker may excecute arbitrary code through an attack, such as a man-in-the-middle (MITM), subdomain takeover, and etc.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5537
References

  1. JVN : JVN#59552136
  2. National Vulnerability Database (NVD) : CVE-2020-5537
Revision History

  • [2020/05/25]
      Web page was published

Date Public2020/05/25
Date First Published2020/05/25
Date Last Updated2020/05/25