[Japanese]

JVNDB-2023-000102

Multiple vulnerabilities in JustSystems products

Overview

Multiple products provided by JustSystems Corporation contain multiple vulnerabilities listed below.

* Use after free (CWE-416) - CVE-2023-34366
* Integer overflow (CWE-190) - CVE-2023-38127
* Access of resource using incompatible type (Type confusion) (CWE-843) - CVE-2023-38128
* Improper validation of array index (CWE-129) - CVE-2023-35126

Cisco Talos Security Intelligence & Research Group reported these vulnerabilities to JustSystems Corporation and coordinated. JustSystems Corporation and JPCERT/CC published respective advisories in order to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 1.9 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-34366


CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 1.9 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-38127


CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 1.9 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-38128


CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 1.9 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-35126
Affected Products


JustSystems Corporation
  • JUST Government series
  • JUST Office series
  • JUST Police series
  • Ichitaro series
  • Rakuraku Hagaki series

A wide range of products is affected. For the details, refer to the information provided by the developer.
Impact

Processing a specially crafted file may lead to the product's abnormal termination.
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
For more information, refer to the information provided by the developer.
Vendor Information

JustSystems Corporation
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-34366
  2. CVE-2023-38127
  3. CVE-2023-38128
  4. CVE-2023-35126
References

  1. JVN : JVN#28846531
  2. National Vulnerability Database (NVD) : CVE-2023-34366
  3. National Vulnerability Database (NVD) : CVE-2023-38127
  4. National Vulnerability Database (NVD) : CVE-2023-38128
  5. National Vulnerability Database (NVD) : CVE-2023-35126
Revision History

  • [2023/10/19]
      Web page was published
  • [2024/05/16]
      References : Contents were added