Published:2024/10/28  Last Updated:2024/10/28

JVN#78335885
Chatwork Desktop Application (Windows) uses a potentially dangerous function

Overview

Chatwork Desktop Application (Windows) contains an issue with use of potentially dangerous function.

Products Affected

  • Chatwork Desktop Application (Windows) versions prior to 2.9.2

Description

Chatwork Desktop Application (Windows) provided by kubell Co., Ltd. contains an issue with use of potentially dangerous function (CWE-676), which allows a user to access an external website via a link in the application.

Impact

If a user clicks a specially crafted link in the application, an arbitrary file may be downloaded from an external website and executed. As a result, arbitrary code may be executed on the device that runs Chatwork Desktop Application (Windows).

Solution

Update the application
Update the application to the latest version according to the information provided by the developer.

Apply the workaround
The developer states that the impacts of this vulnerability may be mitigated by disabling guest access of Windows OS SMB client function.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
kubell Co., Ltd. Vulnerable 2024/10/28

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Base Score: 5.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

RyotaK of Flatt Security Inc. directly reported this vulnerability to the developer and coordinated. After the coordination was completed, the developer reported this case to IPA under Information Security Early Warning Partnership to notify the users of the solution through JVN, and JPCERT/CC coordinated with the developer for JVN advisory publication.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-50307
JVN iPedia JVNDB-2024-000115