[Japanese]

JVNDB-2022-000086

Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure

Overview

Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability (CWE-200).

Cameron Palmer of PROMON reported this vulnerability to Aiphone Co., Ltd. and coordinated. Aiphone Co., Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.9 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


AIPHONE CO., LTD.
  • GT-DB-VN with firmware versions prior to 2.00
  • GT-DMB with firmware versions prior to 3.00
  • GT-DMB-LVN with firmware versions prior to 3.00
  • GT-DMB-N with firmware versions prior to 3.00

Impact

An attacker who can obtain specific information of the product and access the product may obtain sensitive information stored in the device.
Solution

[Use the products with the fixed firmware]
According to the developer, the vulnerability has been fixed since December 2021.
Please inquire the developer the information on the support of the products released before December 2021.
Vendor Information

AIPHONE CO., LTD.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-40903
References

  1. JVN : JVN#75437943
Revision History

  • [2022/11/10]
      Web page was published

Date Public2022/11/10
Date First Published2022/11/10
Date Last Updated2022/11/10