Lucene search

[email protected]CVE-2017-2157

HistoryMay 12, 2017 - 6:29 p.m.

CVE-2017-2157

2017-05-1218:29:00

CWE-426

[email protected]

web.nvd.nist.gov

cve-2017-2157

public certification service

untrusted search path

vulnerability

jpki user's software

privilege escalation

remote attack

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.2%

JSON

Untrusted search path vulnerability in installers for The Public Certification Service for Individuals “The JPKI user’s software (for Windows 7 and later)” Ver3.1 and earlier, The Public Certification Service for Individuals “The JPKI user’s software (for Windows Vista)”, The Public Certification Service for Individuals “The JPKI user’s software” Ver2.6 and earlier that were available until April 27, 2017 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

Affected configurations

Vulners

NVD

Node

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software_\(for_windows_7_and_later\)\"Match3.1

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software_\(for_windows_7_and_later\)\"Range≤27

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software_\(for_windows_7_and_later\)\"Match2017

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software_\(for_windows_vista\)\"Match27

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software_\(for_windows_vista\)\"Match2017

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software\"Match2.6

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software\"Range≤27

japan_agency_for_local_authority_information_systemsinstaller_for_the_public_certification_service_for_individuals_\"the_jpki_user\'s_software\"Match2017

CPENameOperatorVersion
jpki:the_public_certification_service_for_individualsjpki the public certification service for individualsle2.6
jpki:the_public_certification_service_for_individualsjpki the public certification service for individualsle3.1
jpki:the_public_certification_service_for_individualsjpki the public certification service for individualseq-

CPE	Name	Operator	Version
jpki:the_public_certification_service_for_individuals	jpki the public certification service for individuals	le	2.6
jpki:the_public_certification_service_for_individuals	jpki the public certification service for individuals	le	3.1
jpki:the_public_certification_service_for_individuals	jpki the public certification service for individuals	eq	-

CNA Affected

[
  {
    "product": "Installer for The Public Certification Service for Individuals \"The JPKI user's software (for Windows 7 and later)\"",
    "vendor": "Japan Agency for Local Authority Information Systems",
    "versions": [
      {
        "status": "affected",
        "version": "Ver3.1 and earlier that was available until April 27, 2017"
      }
    ]
  },
  {
    "product": "Installer for The Public Certification Service for Individuals \"The JPKI user's software (for Windows Vista)\"",
    "vendor": "Japan Agency for Local Authority Information Systems",
    "versions": [
      {
        "status": "affected",
        "version": "available until April 27, 2017"
      }
    ]
  },
  {
    "product": "Installer for The Public Certification Service for Individuals \"The JPKI user's software\"",
    "vendor": "Japan Agency for Local Authority Information Systems",
    "versions": [
      {
        "status": "affected",
        "version": "Ver2.6 and earlier that was available until April 27, 2017"
      }
    ]
  }
]

References

jvn.jp/en/jp/JVN39605485/index.html

www.jpki.go.jp/download/win.html#dl

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.2%

JSON

Related for CVE-2017-2157

cvelist1 nvd1 prion1 jvn1