Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:57224029
HistoryMar 01, 2023 - 12:00 a.m.

JVN#57224029: Multiple vulnerabilities in SS1 and Rakuraku PC Cloud

2023-03-0100:00:00
Japan Vulnerability Notes
jvn.jp
15
improper access control
path traversal
hard-coded credentials
remote code execution
update software
ss1
rakuraku pc cloud agent

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.6%

JSON

SS1 is asset management software and Rakuraku PC Cloud is cloud-based asset management service. SS1 and Rakuraku PC Cloud Agent contain multiple vulnerabilities listed below.

Improper Access Control (CWE-284) - CVE-2023-22335

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0

Path Traversal (CWE-22) - CVE-2023-22336

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3
CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N Base Score: 5.0

Use of Hard-coded Credentials (CWE-798) - CVE-2023-22344

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0

Impact

  • A remote attacker may download arbitrary files of the directory where the product runs - CVE-2023-22335
  • A remote attacker may upload a specially crafted file to an arbitrary directory - CVE-2023-22336
  • A remote attacker may obtain the password of the debug tool and execute it - CVE-2023-22344
    When these vulnerabilities are combined, it allows a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device.

Solution

Update the software
Update software to the latest version according to the information provided by the developer.

The developer states that the patch of Rakuraku PC Cloud Agent is applied automatically when the client is launched.

Products Affected

  • SS1 Ver.13.1.0.40 and earlier (Media version 13.1.0c and earlier)
  • Rakuraku PC Cloud Agent Ver.2.1.8 and earlier

Related

cvelist 3
cve 3
prion 3
nvd 3
cvelist
cvelist
CVE-2023-22336
2023-03-05 00:00:00
CVE-2023-22335
2023-03-05 00:00:00
CVE-2023-22344
2023-03-05 00:00:00
cve
cve
CVE-2023-22344
2023-03-06 00:15:10
CVE-2023-22335
2023-03-06 00:15:10
CVE-2023-22336
2023-03-06 00:15:10
prion
prion
Improper access control
2023-03-06 00:15:00
Path traversal
2023-03-06 00:15:00
Hardcoded credentials
2023-03-06 00:15:00
nvd
nvd
CVE-2023-22335
2023-03-06 00:15:10
CVE-2023-22344
2023-03-06 00:15:10
CVE-2023-22336
2023-03-06 00:15:10

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.6%

JSON
Related for JVN:57224029
cvelist3cve3prion3nvd3