[Japanese]

JVNDB-2024-000053

Multiple vulnerabilities in Unifier and Unifier Cast

Overview

Unifier and Unifier Cast provided by Yokogawa Rental & Lease Corporation contains multiple vulnerabilities listed below.


  • Incorrect Default Permissions configured by Cast Launcher (CWE-276) - CVE-2024-23847

  • Missing Authorization for coejobhook Command Execution (CWE-862) - CVE-2024-36246



CVE-2024-23847
Yokogawa Rental & Lease Corporation reported this vulnerability to IPA to notify users of its solution through JVN.
JPCERT/CC and Yokogawa Rental & Lease Corporation coordinated under the Information Security Early Warning Partnership.

CVE-2024-36246
Taisei Ogura of MOTEX Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-36246

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-23847
Affected Products


Yokogawa Rental & Lease Corporation
  • Unifier Version.5.0 or later, and the patch "20240527" not applied
  • Unifier Cast Version.5.0 or later, and the patch "20240527" not applied

Impact

An arbitrary code may be executed with LocalSystem privilege.
As a result, a malicious program may be installed, data may be modified or deleted.
Solution

[Apply the patch]
Apply the patch according to the information provided by the developer.

For more information, refer to the information provided by the developer.
Vendor Information

Yokogawa Rental & Lease Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-23847
  2. CVE-2024-36246
References

  1. JVN : JVN#17680667
Revision History

  • [2024/05/28]
      Web page was published

Date Public2024/05/28
Date First Published2024/05/28
Date Last Updated2024/05/28