Published:2022/10/20  Last Updated:2022/10/28

JVN#56968681
Multiple vulnerabilities in nadesiko3

Overview

Nadesiko3 provided by kujirahand contains multiple vulnerabilities.

Products Affected

CVE-2022-41642

  • Nadesiko3 (PC Version) v3.3.68 and earlier
CVE-2022-41777, CVE-2022-42496
  • Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier

Description

Nadesiko3 provided by kujirahand contains multiple vulnerabilities listed below.

  • OS command injection vulnerability in processing compression and decompression (CWE-78) - CVE-2022-41642
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
  • Improper check or handling of exceptional conditions in nako3edit (CWE-703) - CVE-2022-41777
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P Base Score: 5.0
  • OS command injection vulnerability via "file" parameter in nako3edit (CWE-78) - CVE-2022-42496
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.1
    CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P Base Score: 6.8

Impact

  • An arbitrary OS command may be executed on the product if compression and/or decompression is executed - CVE-2022-41642
  • Injecting an invalid value to decodeURIComponent of nako3edit may lead the server to crash - CVE-2022-41777
  • An arbitrary OS command may be executed on the product via "file" parameter in nako3edit if appkey of the product is obtained by the remote unauthenticated attacker - CVE-2022-42496

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
kujirahand Vulnerable 2022/10/28

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Satoki Tsuji reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-41642
CVE-2022-41777
CVE-2022-42496
JVN iPedia JVNDB-2022-000082

Update History

2022/10/28
Information under [Products Affected] was updated.