[Japanese]

JVNDB-2024-000063

Multiple vulnerabilities in ID Link Manager and FUJITSU Software TIME CREATOR

Overview

ID Link Manager and FUJITSU Software TIME CREATOR provided by Fsas Technologies Inc. contain multiple vulnerabilities listed below.

* Path Traversal (CWE-36) (CVE-2024-33620)
* Missing Authentication (CWE-306) (CVE-2024-33622)
* Information disclosure (CWE-204) (CVE-2024-34024)

Christian Demko of WithSecure KK reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer Fsas Technologies Inc.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.6 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-33620


CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-33622


CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-34024
Affected Products


Fsas Technologies Inc.
  • FUJITSU Business Application ID Link ManagerII V1.8 and earlier (CVE-2024-33620, CVE-2024-33622, CVE-2024-34024)
  • FUJITSU Software ID Link Manager V2.0 (CVE-2024-33620, CVE-2024-33622, CVE-2024-34024)
  • FUJITSU Software TIME CREATOR ID Link Manager V2.3.0, V2.3.1, V2.4, V2.5, V2.6, V2.7 (CVE-2024-33620, CVE-2024-33622, CVE-2024-34024)
  • FUJITSU Software TIME CREATOR ID Link Manager V3.0, V3.0.2, V3.0.2.1, V3.0.3 (CVE-2024-33620, CVE-2024-33622, CVE-2024-34024)
  • FUJITSU Software TIME CREATOR ID Link Manager SaaS (Versions before the maintenance on June 16, 2024) (CVE-2024-33622, CVE-2024-34024)

Impact

* The file contents including sensitive information on the server may be retrieved by an unauthenticated remote attacker (CVE-2024-33620)
* Sensitive information may be obtained and/or the information stored in the database may be altered by a remote attacker (CVE-2024-33622)
* An unauthenticated remote attacker may determine if a username is valid or not (CVE-2024-34024)
Solution

[Apply the Patch]
For ID Link Manager and FUJITSU Software TIME CREATOR, apply the patches according to the information provided by the developer.

The issues in FUJITSU Software TIME CREATOR ID Link Manager SaaS are fixed with the update on June 16, 2024.
Vendor Information

Fsas Technologies Inc.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
  2. Path Traversal(CWE-22) [IPA Evaluation]
  3. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-33620
  2. CVE-2024-33622
  3. CVE-2024-34024
References

  1. JVN : JVN#65171386
Revision History

  • [2024/06/18]
      Web page was published