|
[Japanese]
|
JVNDB-2026-000074
|
WPS Office improper access restriction to its named pipe
|
|
WPS Office provided by WPS SOFTWARE PTE. LTD. contains a service program running background and providing certain functionalities to the other programs. This service program uses a named pipe to communicate with the other programs.
The named pipe above is not properly protected and any non-administrative user can access it.- Exposed dangerous method or function (CWE-749) - CVE-2018-6400
MASAHIRO IIDA of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.8 (High) [NVD Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
CVSS v4 Severity
Base Metrics: 8.5 (High) [IPA Score]
- Access Vector (AV): Local
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): Low
- User Interaction (UI): None
Vulnerable System Impact
- Confidentiality Impact (VC): High
- Integrity Impact (VI): High
- Availability Impact (VA): High
Subsequent System Impact
- Confidentiality Impact (SC): None
- Integrity Impact (SI): None
- Availability Impact (SA): None
|
|
|
WPS
- KINGSOFT PDF Pro Ver.11.2.0.10715 and earlier
- WPS Cloud Ver.11.2.0.10715 and earlier
- WPS Cloud Pro Ver.11.2.0.10716 and earlier
- WPS Office2 (2020 edition) Ver.11.2.0.10707 and earlier
- WPS Office2 (2025 edition) Ver.11.2.0.10715 and earlier
|
|
|
A non-administrative user may execute arbitrary programs with SYSTEM privilege.
|
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
|
|
WPS
|
|
- No Mapping(CWE-Other) [NVD Evaluation]
|
|
- CVE-2018-6400
|
|
- JVN : JVN#14434132
|
|
- [2026/05/14]
Web page was published
|
