Multiple vulnerabilities in Nadesiko



Published: 2022-10-20
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-41642
CVE-2022-41777
CVE-2022-42496
CWE-ID CWE-78
CWE-755
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Nadesiko
Universal components / Libraries / Programming Languages & Components

Vendor kujirahand

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) OS Command Injection

EUVDB-ID: #VU68554

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-41642

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in handling of compression and decompressions commands. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Nadesiko: 3.0.19 - 3.3.61


CPE2.3 External links

http://jvn.jp/en/jp/JVN56968681/index.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper handling of exceptional conditions

EUVDB-ID: #VU68555

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-41777

CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of errors within nako3edit. A remote attacker can send specially crafted input and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Nadesiko: 3.0.19 - 3.3.74


CPE2.3 External links

http://jvn.jp/en/jp/JVN56968681/index.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) OS Command Injection

EUVDB-ID: #VU68556

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-42496

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when handling a "file" parameter in nako3edit. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Nadesiko: 3.0.19 - 3.3.74


CPE2.3 External links

http://jvn.jp/en/jp/JVN56968681/index.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###