[Japanese]

JVNDB-2023-000031

Multiple vulnerabilities in JustSystems products

Overview

Multiple products provided by JustSystems Corporation contain multiple vulnerabilities listed below.
  • Use After Free (CWE-416) - CVE-2022-43664

  • Heap-based Buffer Overflow (CWE-122) - CVE-2022-45115

  • Free of Memory not on the Heap (CWE-590) - CVE-2023-22291

  • Heap-based Buffer Overflow (CWE-122) - CVE-2023-22660

Cisco Talos Security Intelligence & Research Group reported these vulnerabilities to JustSystems Corporation and coordinated. JustSystems Corporation and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-43664


CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-45115


CVSS V3 Severity:
Base Metrics 7.0 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-22291


CVSS V3 Severity:
Base Metrics 7.0 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-22660
Affected Products


JustSystems Corporation
  • JUST Government series
  • JUST Office series
  • JUST Police series
  • Homepage Builder 21
  • Label Mighty series
  • Ichitaro series
  • Hanako series
  • Rakuraku Hagaki series

A wide range of products is affected. For the details, refer to the information provided by the developer.
Impact

Processing a specialy crafted file may cause a buffer overflow and/or denial-of-service (DoS) condition.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer
For more information, refer to the information provided by the developer.
Vendor Information

JustSystems Corporation
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-43664
  2. CVE-2022-45115
  3. CVE-2023-22291
  4. CVE-2023-22660
References

  1. JVN : JVN#79149117
  2. National Vulnerability Database (NVD) : CVE-2022-43664
  3. National Vulnerability Database (NVD) : CVE-2022-45115
  4. National Vulnerability Database (NVD) : CVE-2023-22291
  5. National Vulnerability Database (NVD) : CVE-2023-22660
Revision History

  • [2023/04/04]
      Web page was published
  • [2024/05/29]
      References : Contents were added