CVE-2022-36344

CVSS V2 None CVSS V3 Critical 9.8
Description
An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.
Overview
  • CVE ID
  • CVE-2022-36344
  • Assigner
  • vultures@jpcert.or.jp
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-08-16T08:15:09
  • Last Modified Date
  • 2022-08-23T16:02:22
Weakness Enumerations
CWE URL
CWE-428 http://cwe.mitre.org/data/definitions/428.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:justsystems:atok_medical_2:*:*:*:*:*:windows:*:* 1 OR
cpe:2.3:a:justsystems:atok_medical_3:*:*:*:*:*:windows:*:* 1 OR
cpe:2.3:a:justsystems:atok_pro_3:*:*:*:*:*:windows:*:* 1 OR
cpe:2.3:a:justsystems:atok_pro_4:*:*:*:*:*:windows:*:* 1 OR
cpe:2.3:a:justsystems:atok_pro_5:*:*:*:*:*:windows:*:* 1 OR
cpe:2.3:a:justsystems:hanako_police_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:hanako_police_6:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:hanako_police_7:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:hanako_pro_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:hanako_pro_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:hanako_pro_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:homepage_builder_20:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:homepage_builder_21:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:homepage_builder_22:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:ichitaro_government_10:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:ichitaro_government_8:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:ichitaro_government_9:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:ichitaro_pro_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:ichitaro_pro_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:ichitaro_pro_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_calc_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_calc_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_calc_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_focus_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_focus_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_frontier_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_government_2:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_government_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_government_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_government_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_jump_8:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_jump_class:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_jump_class_2:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_medical_2:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_medical_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_medical_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_medical_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_note_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_note_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_note_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_office_2:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_office_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_office_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_office_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_pdf_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_pdf_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_pdf_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_pdf_5:*:*:*:*:pro:*:*:* 1 OR
cpe:2.3:a:justsystems:just_police_2:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_police_3:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_police_4:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_police_5:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_school_6:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_school_7:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_smile_6:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_smile_7:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_smile_8:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:just_smile_class_2:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:shuriken_pro_6:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:shuriken_pro_7:*:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:justsystems:tri-de_dataprotect:*:*:*:*:*:*:*:* 1 OR
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 9.8
  • Base Severity
  • CRITICAL
  • Exploitability Score
  • 3.9
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://jvn.jp/en/jp/JVN57073973/index.html
https://www.justsystems.com/jp/corporate/info/js22001.html
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-36344
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36344
History
Created Old Value New Value Data Type Notes
2022-08-16 14:00:42 Added to TrackCVE