CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
9.0%
RevoWorks SCVX and RevoWorks Browser provided by J’s Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client’s local environment.
In the products, file exchange between the sandboxed environment and local environment is prohibited in principle, but by using the optional “VirusChecker” or “ThreatChecker” feature and changing the policy settings, files checked for viruses by these features in the sandboxed environment can be permitted to be downloaded to the local environment.
However, there is a vulnerability (CWE-693) in the products where malware detection is failed when data containing malware is saved in a specific file format (eml, dmg, vhd, iso, msi) in the sandboxed environment
If data containing malware is saved in a specific file format, malware may be taken outside the sandboxed environment.
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer addressed the vulnerability in the following versions:
RevoWorks SCVX scvimage4.10.21_1013
RevoWorks Browser 2.2.95
Apply the workaround
Applying the following workaround may avoid the impact of this vulnerability.
Do not use “VirusChecker” and “ThreatChecker” features