JVN#48057522: Inkdrop vulnerable to code injection

Overview

Inkdrop contains a code injection vulnerability.

Products Affected

Inkdrop versions prior to v5.6.0

Description

Inkdrop provided by Takuya Matsuyama is a Markdown editor. Inkdrop contains a code injection vulnerability (CWE-94).

Impact

If a specially crafted markdown file is opened using the product, arbitrary code may be executed.

Solution

Update the Software
The developer states that Inkdrop has an auto-update feature, therefore affected versions of the product will be automatically updated.

Vendor Status

Vendor	Link
Takuya Matsuyama	Inkdrop
	Inkdrop Desktop v5.6.0

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score: 7.8

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Score: 6.8

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

T.Nodoka reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2023-44141
JVN iPedia	JVNDB-2023-000108

Update History

2023/11/15: Information under the section [Credit] was updated

JVN#48057522 Inkdrop vulnerable to code injection