[Japanese]
|
JVNDB-2024-000074
|
Multiple vulnerabilities in SKYSEA Client View
|
SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool.
SKYSEA Client View contains multiple vulnerabilities listed below.
- Improper access control in the specific process (CWE-266) - CVE-2024-41139
- Origin validation error in shared memory data exchanges (CWE-346) - CVE-2024-41143
- Path traversal (CWE-22) - CVE-2024-41726
Ruslan Sayfiev, and Denis Faiustov of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to Sky Co.,LTD. and coordinated. Sky Co.,LTD. and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
|
CVSS V3 Severity: Base Metrics 7.8 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-41139
|
CVSS V3 Severity:
Base Metrics
7.8 (High) [IPA Score]
-
Attack Vector: Local
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-41143
|
CVSS V3 Severity:
Base Metrics
7.5 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-41726
|
|
Sky Co., LTD.
- SKYSEA Client View versions from Ver.6.010.06 to Ver.19.210.04e (CVE-2024-41139)
- SKYSEA Client View versions from Ver.3.013.00 to Ver.19.210.04e (CVE-2024-41143)
- SKYSEA Client View versions from Ver.15.200.13i to Ver.19.210.04e (CVE-2024-41726)
|
|
- If a user who can log in to the PC where the product's Windows client is installed places a specially crafted DLL file in a specific folder, arbitrary code may be executed with SYSTEM privilege (CVE-2024-41139)
- An arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed (CVE-2024-41143)
- An arbitrary executable file may be executed by a user who can log in to the PC where the product's Windows client is installed (CVE-2024-41726)
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released SKYSEA Client View Ver.19.3 that addresses these vulnerabilities.
[Apply the patch]
For SKYSEA Client View Ver.17.0 to Ver.19.210.04e, the developer has released patches that contain fixes for these vulnerabilities.
For more details, refer to the information provided by the developer.
|
Sky Co., LTD.
|
- Path Traversal(CWE-22) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2024-41139
- CVE-2024-41143
- CVE-2024-41726
|
- JVN : JVN#84326763
|
- [2024/07/29]
Web page was published
- [2024/07/31]
Affected Products : Product version was modified
Solution was modified
|