Published:2023/03/31  Last Updated:2023/03/31

JVNVU#99710864
JTEKT ELECTRONIC Screen Creator Advance 2 vulnerable to improper restriction of operations within the bounds of a memory buffer

Overview

Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION is vulnerable to improper restriction of operations within the bounds of a memory buffer.

Products Affected

  • Screen Creator Advance 2 Ver.0.1.1.4 Build01A and earlier

Description

Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION is vulnerable to improper restriction of operations within the bounds of a memory buffer (CWE-119) due to improper check of its data size when processing a project file.

Impact

If a user of Screen Creator Advance 2 opens a specially crafted project file, information may be disclosed and/or arbitrary code may be executed.

Solution

Update the software
Update Screen Creator Advance 2 to the latest version according to the information provided by the developer.
The developer released the below version that contains a fix for this vulnerability.

  • Screen Creator Advance 2 Ver.0.1.1.4 Build01B and above

The latest update can be obtained from the developer's website listed below.

Vendor Status

Vendor Status Last Update Vendor Notes
JTEKT ELECTRONICS CORPORATION Vulnerable 2023/03/31 JTEKT ELECTRONICS CORPORATION website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Michael Heinzl reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-25755
JVN iPedia