Published:2023/03/01  Last Updated:2023/03/09

Multiple vulnerabilities in SS1 and Rakuraku PC Cloud


SS1 and Rakuraku PC Cloud provided by DOS Co., Ltd. contain multiple vulnerabilities.

Products Affected

  • SS1 Ver. and earlier (Media version 13.1.0c and earlier)
  • Rakuraku PC Cloud Agent Ver.2.1.8 and earlier


SS1 is asset management software and Rakuraku PC Cloud is cloud-based asset management service. SS1 and Rakuraku PC Cloud Agent contain multiple vulnerabilities listed below.

  • Improper Access Control (CWE-284) - CVE-2023-22335
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0
  • Path Traversal (CWE-22) - CVE-2023-22336
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N Base Score: 5.0
  • Use of Hard-coded Credentials (CWE-798) - CVE-2023-22344
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0


  • A remote attacker may download arbitrary files of the directory where the product runs - CVE-2023-22335
  • A remote attacker may upload a specially crafted file to an arbitrary directory - CVE-2023-22336
  • A remote attacker may obtain the password of the debug tool and execute it - CVE-2023-22344
When these vulnerabilities are combined, it allows a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device.


Update the software
Update software to the latest version according to the information provided by the developer.

The developer states that the patch of Rakuraku PC Cloud Agent is applied automatically when the client is launched.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC


Denis Faiustov, and Ruslan Sayfiev of GMO Cyber Security by IERAE reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2023-22335
JVN iPedia JVNDB-2023-000021

Update History

Information under the section [Products Affected] was updated.