Published:2017/03/16  Last Updated:2017/03/16

JVN#11448789
Security guide for website operators vulnerable to OS command injection

Overview

Security guide for website operators contains an OS command injection vulnerability.

Products Affected

  • Security guide for website operators

Description

Security guide for website operators provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains an OS command injection vulnerability (CWE-78) due to an issue in loading saved data.

Impact

When specially crafted saved data is loaded, an arbitrary OS command may be executed.

Solution

Do not use Security guide for website operators
The developer has stated that the support of Security guide for website operators has been discontinued, thus recommends users to stop using it.

Vendor Status

Vendor Status Last Update Vendor Notes
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) Vulnerable 2017/03/16
Vendor Link
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) Security guide for website operators

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

This vulnerability was reported by IPA to notify users of its solution through JVN. JPCERT/CC and IPA coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-2128
JVN iPedia JVNDB-2017-000047