Published:2017/07/14  Last Updated:2017/07/24

JVNVU#93377948
Multiple vulnerabilities in "File Transfer Web Service" of AssetView for MacOS

Overview

AssetView for MacOS provided by Hammock Corporation contains multiple vulnerabilities in "File Transfer Web Service".

Products Affected

  • AssetView for MacOS Ver.9.2.0 and earlier versions

Description

AssetView for MacOS provided by Hammock Corporation contains multiple vulnerabilities listed below in "File Transfer Web Service".

  • Directory traversal vulnerability (CWE-22) - CVE-2017-2240
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score: 6.5
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • SQL injection vulnerability (CWE-89) - CVE-2017-2241
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5

Impact

A possible impact of each vulnerability is as follows.

  • An attacker who can access the server may obtain an arbitrary file - CVE-2017-2240
  • An attacker who can access the server may execute an arbitrary SQL query - CVE-2017-2241

Solution

Apply the Patch
Apply the patch (AssetView File Transfer Web Service Hotfix) according to the information provided by the developer.

Vendor Status

Vendor Link
Hammock Corporation Two vulnerabilities in AssetView for MacOS Server

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-2240
CVE-2017-2241
JVN iPedia

Update History

2017/07/24
Information under the section [Credit] was fixed.