JVN#11705010
Beekeeper Studio vulnerable to code injection
Overview
Beekeeper Studio contains a code injection vulnerability.
Products Affected
- Beekeeper Studio versions prior to 3.9.9
Description
Beekeeper Studio provided by Beekeeper Studio, Inc. contains a code injection vulnerability (CWE-74).
Impact
A remote authenticated attacker may execute arbitrary JavaScript code with the privilege of the application on the PC where the affected product is installed. As a result, an arbitrary OS command may be executed as well.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer released Beekeeper Studio 3.9.9 that contains a fix for this vulnerability.
Vendor Status
| Vendor | Link |
| Beekeeper Studio, Inc. | The SQL Editor and Database Manager Of Your Dreams |
| GitHub | beekeeper-studio |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-28394 |
| JVN iPedia |
JVNDB-2023-000047 |