JVN#56968681
Multiple vulnerabilities in nadesiko3

Overview

Nadesiko3 provided by kujirahand contains multiple vulnerabilities.

Products Affected

CVE-2022-41642

• Nadesiko3 (PC Version) v3.3.68 and earlier

• Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier

Description

Nadesiko3 provided by kujirahand contains multiple vulnerabilities listed below.

• OS command injection vulnerability in processing compression and decompression (CWE-78) - CVE-2022-41642

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 9.8
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:P/A:P	Base Score: 7.5

• Improper check or handling of exceptional conditions in nako3edit (CWE-703) - CVE-2022-41777

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	Base Score: 5.3
  CVSS v2	AV:N/AC:L/Au:N/C:N/I:N/A:P	Base Score: 5.0

• OS command injection vulnerability via "file" parameter in nako3edit (CWE-78) - CVE-2022-42496

  CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.1
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

Impact

• An arbitrary OS command may be executed on the product if compression and/or decompression is executed - CVE-2022-41642
• Injecting an invalid value to decodeURIComponent of nako3edit may lead the server to crash - CVE-2022-41777
• An arbitrary OS command may be executed on the product via "file" parameter in nako3edit if appkey of the product is obtained by the remote unauthenticated attacker - CVE-2022-42496

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.