[Japanese]

JVNDB-2024-000053

Multiple vulnerabilities in Unifier and Unifier Cast

Overview

Unifier and Unifier Cast provided by Yokogawa Rental & Lease Corporation contains multiple vulnerabilities listed below.


  • Incorrect Default Permissions configured by Cast Launcher (CWE-276) - CVE-2024-23847

  • Missing Authorization for coejobhook Command Execution (CWE-862) - CVE-2024-36246



CVE-2024-23847
Yokogawa Rental & Lease Corporation reported this vulnerability to IPA to notify users of its solution through JVN.
JPCERT/CC and Yokogawa Rental & Lease Corporation coordinated under the Information Security Early Warning Partnership.

CVE-2024-36246
Taisei Ogura of MOTEX Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-36246

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-23847
Affected Products


Yokogawa Rental & Lease Corporation
  • Unifier Version.5.0 or later but prior to v5.10.6, and the patch "20240527" not applied
  • Unifier Cast Version.5.0 or later but prior to v5.10.6, and the patch "20240527" not applied
  • Unifier Cast Version.6.0 or later but prior to v6.5.0, and the patch "20240527" not applied

Impact

An arbitrary code may be executed with LocalSystem privilege.
As a result, a malicious program may be installed, data may be modified or deleted.
Solution

[Update the Software or Apply the patch]
Update the software to the latest version or apply the patch according to the information provided by the developer.

For more information, refer to the information provided by the developer.
Vendor Information

Yokogawa Rental & Lease Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-23847
  2. CVE-2024-36246
References

  1. JVN : JVN#17680667
Revision History

  • [2024/05/28]
      Web page was published
  • [2025/04/08]
      Affected Products : Product was added 
      Vendor Information : Contents were added
      Solution was modified

Date Public2024/05/28
Date First Published2024/05/28
Date Last Updated2024/05/28