JVN#57224029
Multiple vulnerabilities in SS1 and Rakuraku PC Cloud

Overview

SS1 and Rakuraku PC Cloud provided by DOS Co., Ltd. contain multiple vulnerabilities.

Products Affected

• SS1 Ver.13.1.0.40 and earlier (Media version 13.1.0c and earlier)
• Rakuraku PC Cloud Agent Ver.2.1.8 and earlier

Description

SS1 is asset management software and Rakuraku PC Cloud is cloud-based asset management service. SS1 and Rakuraku PC Cloud Agent contain multiple vulnerabilities listed below.

• Improper Access Control (CWE-284) - CVE-2023-22335

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	Base Score: 7.5
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

• Path Traversal (CWE-22) - CVE-2023-22336

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	Base Score: 5.3
  CVSS v2	AV:N/AC:L/Au:N/C:N/I:P/A:N	Base Score: 5.0

• Use of Hard-coded Credentials (CWE-798) - CVE-2023-22344

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	Base Score: 5.3
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

Impact

• A remote attacker may download arbitrary files of the directory where the product runs - CVE-2023-22335
• A remote attacker may upload a specially crafted file to an arbitrary directory - CVE-2023-22336
• A remote attacker may obtain the password of the debug tool and execute it - CVE-2023-22344

Solution

Update the software
Update software to the latest version according to the information provided by the developer.

The developer states that the patch of Rakuraku PC Cloud Agent is applied automatically when the client is launched.