JVNVU#98917488
Multiple vulnerabilities in JTEKT ELECTRONICS Screen Creator Advance 2
Overview
Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities.
Products Affected
- Screen Creator Advance 2 Ver.0.1.1.4 Build01 and earlier
Description
Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below.
- Out-of-bound write (CWE-787) - CVE-2023-22345
CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 - Out-of-bound read (CWE-125) - CVE-2023-22346, CVE-2023-22347, CVE-2023-22349, CVE-2023-22350, CVE-2023-22353
CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 - Use-after-free (CWE-416) - CVE-2023-22360
CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
Impact
Having a user of Screen Creator Advance 2 to open a specially crafted project file causes the following vulnerabilities, which may result in information disclosure and/or arbitrary code execution.
CVE-2023-22345
Out-of-bound write occurs due to lack of error handling process when out of specification errors are detected.
CVE-2023-22346
Out-of-bound read occurs because the end of data cannot be verified when processing template information.
CVE-2023-22347
Out-of-bound read occurs because the end of data cannot be verified when processing file structure information.
CVE-2023-22349
Out-of-bound read occurs because the end of data cannot be verified when processing screen management information.
CVE-2023-22350
Out-of-bound read occurs because the end of data cannot be verified when processing parts management information.
CVE-2023-22353
Out-of-bound read occurs because the end of data cannot be verified when processing control management information.
CVE-2023-22360
Use-after-free occurs due to lack of error handling process even when an error was detected.
Solution
Update the software
Update Screen Creator Advance 2 to the latest version according to the information provided by the developer.
The developer released below version that contains fixes for these vulnerabilities.
- Screen Creator Advance 2 Ver.0.1.1.4 Build01A and above
The latest update can be obtained from the developer's website listed below.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| JTEKT ELECTRONICS CORPORATION | Vulnerable | 2023/02/03 | JTEKT ELECTRONICS CORPORATION website |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2023-22345 |
|
CVE-2023-22346 |
|
|
CVE-2023-22347 |
|
|
CVE-2023-22349 |
|
|
CVE-2023-22350 |
|
|
CVE-2023-22353 |
|
|
CVE-2023-22360 |
|
| JVN iPedia |
Update History
- 2023/04/07
- Updated the information under the section [References]