All the vulnerabilites related to SAISON INFORMATION SYSTEMS CO.,LTD. - DataSpider Servista
cve-2023-28937
Vulnerability from cvelistv5
Published
2023-06-01 00:00
Modified
2024-08-02 13:51
Severity ?
EPSS score ?
Summary
DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References].
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SAISON INFORMATION SYSTEMS CO.,LTD. | DataSpider Servista |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.hulft.com/download_file/18675"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN38222042/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.justsystems.com/jp/services/actionista/info/20230519_001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://cs.wingarc.com/ja/download/000023565"
},
{
"tags": [
"x_transferred"
],
"url": "https://cs.wingarc.com/ja/download/000022448"
},
{
"tags": [
"x_transferred"
],
"url": "https://cs.wingarc.com/ja/download/000016244"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DataSpider Servista",
"vendor": "SAISON INFORMATION SYSTEMS CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "version 4.4 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References]."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of hard-coded cryptographic key",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-13T00:00:00",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.hulft.com/download_file/18675"
},
{
"url": "https://jvn.jp/en/jp/JVN38222042/"
},
{
"url": "https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf"
},
{
"url": "https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf"
},
{
"url": "https://www.justsystems.com/jp/services/actionista/info/20230519_001/"
},
{
"url": "https://cs.wingarc.com/ja/download/000023565"
},
{
"url": "https://cs.wingarc.com/ja/download/000022448"
},
{
"url": "https://cs.wingarc.com/ja/download/000016244"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-28937",
"datePublished": "2023-06-01T00:00:00",
"dateReserved": "2023-05-11T00:00:00",
"dateUpdated": "2024-08-02T13:51:38.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2023-000052
Vulnerability from jvndb
Published
2023-05-31 15:34
Modified
2024-03-19 17:44
Severity ?
Summary
DataSpider Servista uses a hard-coded cryptographic key
Details
DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista.
The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321).
Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SAISON INFORMATION SYSTEMS CO.,LTD. | DataSpider Servista |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000052.html",
"dc:date": "2024-03-19T17:44+09:00",
"dcterms:issued": "2023-05-31T15:34+09:00",
"dcterms:modified": "2024-03-19T17:44+09:00",
"description": "DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista.\r\nThe cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321).\r\n\r\nSato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000052.html",
"sec:cpe": {
"#text": "cpe:/a:saison:dataspider_servista",
"@product": "DataSpider Servista",
"@vendor": "SAISON INFORMATION SYSTEMS CO.,LTD.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000052",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN38222042/index.html",
"@id": "JVN#38222042",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-28937",
"@id": "CVE-2023-28937",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-28937",
"@id": "CVE-2023-28937",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "DataSpider Servista uses a hard-coded cryptographic key"
}