[Japanese]

JVNDB-2024-001882

Sharp NEC Display Solutions' public displays vulnerable to local file inclusion

Overview

Multiple public displays provided by Sharp NEC Display Solutions, Ltd. contain a local file inclusion vulnerability (CWE-22, CVE-2023-7077).

Tunahan TEKEOĞLU of Senior Cyber Security Consultant reported this vulnerability to Sharp NEC Display Solutions, Ltd. and coordinated. Sharp NEC Display Solutions, Ltd. reported this case to JPCERT/CC to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Sharp NEC Display Solutions, Ltd.
  • (Multiple Product)

A wide range of the products and versions are affected.

As for the details of the affected products and versions, refer to the information provided by the developer.
Impact

If an attacker sends a specially crafted request to the product's web application,
arbitrary code may be executed.
Solution

[Stop using the products and Switch to alternative products]
The developer states that the products are no longer supported, therefore recommends using alternative unaffected products.

[Apply a Workaround]
In the case that switching to alternative products is difficult, applying the following workaround may mitigate the impact of this vulnerability.

* Use the product only in a safe intranet protected by a firewall, etc. and do not connect the public displays to the Internet

For more information, refer to the information provided by the developer.
Vendor Information

Sharp NEC Display Solutions, Ltd.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [Other]
CVE (What is CVE?)

  1. CVE-2023-7077
References

  1. JVN : JVNVU#97836276
  2. National Vulnerability Database (NVD) : CVE-2023-7077
Revision History

  • [2024/02/07]
      Web page was published
  • [2024/07/11]
      References : Content was added