JVN#11448789
Security guide for website operators vulnerable to OS command injection
Overview
Security guide for website operators contains an OS command injection vulnerability.
Products Affected
- Security guide for website operators
Description
Security guide for website operators provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains an OS command injection vulnerability (CWE-78) due to an issue in loading saved data.
Impact
When specially crafted saved data is loaded, an arbitrary OS command may be executed.
Solution
Do not use Security guide for website operators
The developer has stated that the support of Security guide for website operators has been discontinued, thus recommends users to stop using it.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) | Vulnerable | 2017/03/16 |
| Vendor | Link |
| INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) | Security guide for website operators |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
This vulnerability was reported by IPA to notify users of its solution through JVN. JPCERT/CC and IPA coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-2128 |
| JVN iPedia |
JVNDB-2017-000047 |