All the vulnerabilites related to sira.jp - EasyRange
cve-2024-28131
Vulnerability from cvelistv5
Published
2024-03-26 09:29
Modified
2024-08-02 17:14
Severity ?
EPSS score ?
Summary
EasyRange Ver 1.41 contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file resides in the same folder where the extracted file is placed. If this vulnerability is exploited, arbitrary code may be executed with the privilege of the running program. Note that the developer was unreachable, therefore, users should consider stop using EasyRange Ver 1.41.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN13113728/index.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sira:easyrange:1.41:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyrange",
"vendor": "sira",
"versions": [
{
"status": "affected",
"version": "1.41"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T17:12:56.904259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T17:14:14.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EasyRange",
"vendor": "sira.jp",
"versions": [
{
"status": "affected",
"version": "Ver 1.41"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EasyRange Ver 1.41 contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file resides in the same folder where the extracted file is placed. If this vulnerability is exploited, arbitrary code may be executed with the privilege of the running program. Note that the developer was unreachable, therefore, users should consider stop using EasyRange Ver 1.41.\r\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Uncontrolled Search Path Element",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-26T09:29:13.376Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN13113728/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-28131",
"datePublished": "2024-03-26T09:29:13.376Z",
"dateReserved": "2024-03-05T04:06:06.890Z",
"dateUpdated": "2024-08-02T17:14:14.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2024-000900
Vulnerability from jvndb
Published
2024-03-26 15:50
Modified
2024-03-26 15:50
Severity ?
Summary
"EasyRange" may insecurely load executable files
Details
"EasyRange" <http://sira.jp/soft/> provided by sira.jp (according to the original report submitted by the reporter) is a tool to extract compressed files.
"EasyRange" contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file resides in the same folder where the extracted file is placed (CWE-427).
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 20, 2023, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Other and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know
4. There are no particular reasons that would make disclosure inappropriate
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN13113728/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-28131 | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000900.html",
"dc:date": "2024-03-26T15:50+09:00",
"dcterms:issued": "2024-03-26T15:50+09:00",
"dcterms:modified": "2024-03-26T15:50+09:00",
"description": "\"EasyRange\" \u0026lt;http://sira.jp/soft/\u0026gt; provided by sira.jp (according to the original report submitted by the reporter) is a tool to extract compressed files.\r\n\"EasyRange\" contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file resides in the same folder where the extracted file is placed (CWE-427).\r\n\r\nDuring the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 20, 2023, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Other and Information Security Early Warning Partnership Guideline have been satisfied.\r\n\r\n1. The developer of the product is unreachable\r\n2. Existence of vulnerability has been verified\r\n3. Not disclosing this case may result in the risk that product users will have no means to know\r\n4. There are no particular reasons that would make disclosure inappropriate",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000900.html",
"sec:cpe": {
"#text": "cpe:/a:misc:sira.jp_easyrange",
"@product": "EasyRange",
"@vendor": "sira.jp",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2024-000900",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN13113728/index.html",
"@id": "JVN#13113728",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-28131",
"@id": "CVE-2024-28131",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "\"EasyRange\" may insecurely load executable files"
}