[Japanese]

JVNDB-2023-000054

Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access

Overview

Wacom Tablet Driver installer for macOS provided by Wacom contains an improper link resolution before file access vulnerability (CWE-59).

Koh M. Nakagawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.7 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.6 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products


Wacom
  • Wacom Tablet Driver prior to 6.4.2-1 (for macOS)

Impact

When a user is tricked to execute a small malicious script before executing the affected version of the installer, an arbitrary code may be executed with the root privilege.
Solution

[Use the fixed version of the installer]
When installing the driver, use the fixed version of the installer, 6.4.2-1 or later.
Vendor Information

Wacom
CWE (What is CWE?)

  1. Link Following(CWE-59) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-27529
References

  1. JVN : JVN#90278893
  2. National Vulnerability Database (NVD) : CVE-2023-27529
Revision History

  • [2023/05/25]
      Web page was published