All the vulnerabilites related to JustSystems Corporation - JUST Online Update
jvndb-2014-000053
Vulnerability from jvndb
Published
2014-06-11 12:22
Modified
2014-06-17 16:25
Summary
JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution
Details
"JUST Online Update" and "JUST Online Update for J-License and the management tools" that are bundled with multiple JustSystems products contain a flaw that allows the update program to be executed even if the signature of an update module is invalid.
Please note that this is a flaw in the online update program, not a flaw in each software itself.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN50129191/index.html | |
| CVE | //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2003 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2003 | |
| IPA SECURITY ALERTS | http://www.ipa.go.jp/security/ciadr/vul/20140611-jvn.html | |
| No Mapping(CWE-noinfo) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| JustSystems Corporation | JUST Online Update |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000053.html",
"dc:date": "2014-06-17T16:25+09:00",
"dcterms:issued": "2014-06-11T12:22+09:00",
"dcterms:modified": "2014-06-17T16:25+09:00",
"description": "\"JUST Online Update\" and \"JUST Online Update for J-License and the management tools\" that are bundled with multiple JustSystems products contain a flaw that allows the update program to be executed even if the signature of an update module is invalid.\r\nPlease note that this is a flaw in the online update program, not a flaw in each software itself.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000053.html",
"sec:cpe": {
"#text": "cpe:/a:justsystems:just_online_update",
"@product": "JUST Online Update",
"@vendor": "JustSystems Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.6",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000053",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN50129191/index.html",
"@id": "JVN#50129191",
"@source": "JVN"
},
{
"#text": "//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2003",
"@id": "CVE-2014-2003",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2003",
"@id": "CVE-2014-2003",
"@source": "NVD"
},
{
"#text": "http://www.ipa.go.jp/security/ciadr/vul/20140611-jvn.html",
"@id": "About arbitrary code execution vulnerability of JustSystems Online Update Program bundled with JustSystems products (JVN#50129191)",
"@source": "IPA SECURITY ALERTS"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-noinfo",
"@title": "No Mapping(CWE-noinfo)"
}
],
"title": "JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution"
}
jvndb-2022-000061
Vulnerability from jvndb
Published
2022-07-28 13:40
Modified
2022-07-28 13:40
Severity ?
Summary
"JustSystems JUST Online Update for J-License" starts a program with an unquoted file path
Details
"JustSystems JUST Online Update for J-License" is bundled with multiple products for corporate users provided by JustSystems Corporation, as in Ichitaro through Pro5 and others, and it is registered as a Windows service.
"JustSystems JUST Online Update for J-License" starts another program with an unquoted file path (CWE-428).
Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| JustSystems Corporation | JUST Online Update |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000061.html",
"dc:date": "2022-07-28T13:40+09:00",
"dcterms:issued": "2022-07-28T13:40+09:00",
"dcterms:modified": "2022-07-28T13:40+09:00",
"description": "\"JustSystems JUST Online Update for J-License\" is bundled with multiple products for corporate users provided by JustSystems Corporation, as in Ichitaro through Pro5 and others, and it is registered as a Windows service.\r\n\"JustSystems JUST Online Update for J-License\" starts another program with an unquoted file path (CWE-428).\r\n\r\nHiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000061.html",
"sec:cpe": {
"#text": "cpe:/a:justsystems:just_online_update",
"@product": "JUST Online Update",
"@vendor": "JustSystems Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"@version": "2.0"
},
{
"@score": "8.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000061",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN57073973/index.html",
"@id": "JVN#57073973",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-36344",
"@id": "CVE-2022-36344",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-36344",
"@id": "CVE-2022-36344",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "\"JustSystems JUST Online Update for J-License\" starts a program with an unquoted file path"
}