[Japanese]
|
JVNDB-2025-000019
|
Multiple vulnerabilities in AssetView
|
AssetView provided by Hammock Corporation contains multiple vulnerabilities listed below.
- Missing authentication for critical function (CWE-306) - CVE-2025-25060
- Acquiring sensitive information from sent data to the developer (CWE-201) - CVE-2025-27244
Takao Kondo of VeriServe Corporation reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 8.2 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-25060
|
CVSS V3 Severity:
Base Metrics 5.9 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-27244
|
|
Hammock Corporation
- AssetView versions prior to Ver 13.2.4.3408 (13.2.4O)
- AssetView CLOUD Versions prior to Ver 13.2.4.3408 (13.2.4O)
- AssetView CLOUD Versions prior to Ver 13.3.4.3004 (13.3.4K)
|
The developer states that AssetView Cloud + is not affected by these vulnerabilities.
|
- The files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker (CVE-2025-25060)
- Sensitive information may be obtained by a remote unauthenticated attacker (CVE-2025-27244)
|
[Update the Software]
For AseetView:
Apply the appropriate update according to the information provided by the developer.
Users of AssetView prior to Ver 13.2.0 should contact Support Group of the developer.
For AseetView CLOUD:
Users of AssetView CLOUD should contact Support Group of the developer.
Refer to the infomation (in Japanese) provided by the developer for details.
|
Hammock Corporation
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2025-25060
- CVE-2025-27244
|
- JVN : JVN#26321838
|
- [2025/03/25]
Web page was published
|