JVN#31982676
MUSASI version 3 performing authentication on client-side
Overview
MUSASI version 3 provided by NEUMANN CO.LTD. performs authentication within the client-side code.
Products Affected
- MUSASI version 3
Description
MUSASI provided by NEUMANN CO.LTD. is an e-learning system for driving schools.
MUSASI version 3 performs authentication within the client-side code (CWE-603), and the client in pre-authentication state retrieves the credential information from the server just when a user ID is input.
This behavior may be exploited to fetch other users' credential information.
Impact
A user may retrieve another user's credential and sensitive information.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Version 4 has addressed this vulnerability.
The developer states that the product has completely been migrated to version 4 and version 3 is no longer available.
References
JPCERT/CC Addendum
This issue was reported on March, 2012.
The communication with the developer was resumed on April 2024, and this JVN publication was agreed upon.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-45785 |
| JVN iPedia |
JVNDB-2024-000112 |
Update History
- 2024/10/24
- NEUMANN CO.LTD. update status
- 2024/10/25
- Vendor name under the section [Vendor Status] was updated