Vulnerability-Lookup

CNVD-2017-06948

Vulnerability from cnvd - Published: 2017-05-18

Title

J-LIS The Public Certification Service for Individuals 'The JPKI user's software'存在未明漏洞

Description

J-LIS The Public Certification Service for Individuals "The JPKI user's software"是日本Japan Agency for Local Authority Information Systems（J-LIS）公司的一套基于PKI（公钥基础设施）平台的个人公开认证服务软件。该软件支持查看自签名证书、验证数字签名等。 J-LIS The Public Certification Service for Individuals "The JPKI user's software"中的installer存在安全漏洞。攻击者可利用该漏洞执行任意代码。

Severity

中

Patch Name

J-LIS The Public Certification Service for Individuals 'The JPKI user's software'存在未明漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://www.jpki.go.jp/download/win.html#dl

Reference

http://jvndb.jvn.jp/jvndb/JVNDB-2017-000083

Impacted products

Name
["J-LIS The JPKI user's software <=2.6", "J-LIS The JPKI user's software <=3.1", "J-LIS The JPKI user's software (for Windows Vista)"]

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-2157"
    }
  },
  "description": "J-LIS The Public Certification Service for Individuals \"The JPKI user\u0027s software\"\u662f\u65e5\u672cJapan Agency for Local Authority Information Systems\uff08J-LIS\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8ePKI\uff08\u516c\u94a5\u57fa\u7840\u8bbe\u65bd\uff09\u5e73\u53f0\u7684\u4e2a\u4eba\u516c\u5f00\u8ba4\u8bc1\u670d\u52a1\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u67e5\u770b\u81ea\u7b7e\u540d\u8bc1\u4e66\u3001\u9a8c\u8bc1\u6570\u5b57\u7b7e\u540d\u7b49\u3002\r\n\r\nJ-LIS The Public Certification Service for Individuals \"The JPKI user\u0027s software\"\u4e2d\u7684installer\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Eiji James Yoshida of Security Professionals Network Inc. and Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.jpki.go.jp/download/win.html#dl",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-06948",
  "openTime": "2017-05-18",
  "patchDescription": "J-LIS The Public Certification Service for Individuals \"The JPKI user\u0027s software\"\u662f\u65e5\u672cJapan Agency for Local Authority Information Systems\uff08J-LIS\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8ePKI\uff08\u516c\u94a5\u57fa\u7840\u8bbe\u65bd\uff09\u5e73\u53f0\u7684\u4e2a\u4eba\u516c\u5f00\u8ba4\u8bc1\u670d\u52a1\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u67e5\u770b\u81ea\u7b7e\u540d\u8bc1\u4e66\u3001\u9a8c\u8bc1\u6570\u5b57\u7b7e\u540d\u7b49\u3002\r\n\r\nJ-LIS The Public Certification Service for Individuals \"The JPKI user\u0027s software\"\u4e2d\u7684installer\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "J-LIS The Public Certification Service for Individuals \u0027The JPKI user\u0027s software\u0027\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "J-LIS The JPKI user\u0027s software \u003c=2.6",
      "J-LIS The JPKI user\u0027s software \u003c=3.1",
      "J-LIS The JPKI user\u0027s software (for Windows Vista)"
    ]
  },
  "referenceLink": "http://jvndb.jvn.jp/jvndb/JVNDB-2017-000083",
  "serverity": "\u4e2d",
  "submitTime": "2017-05-17",
  "title": "J-LIS The Public Certification Service for Individuals \u0027The JPKI user\u0027s software\u0027\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2017-2157 (GCVE-0-2017-2157)

Vulnerability from cvelistv5 – Published: 2017-05-12 18:00 – Updated: 2024-08-05 13:48

Summary

Untrusted search path vulnerability in installers for The Public Certification Service for Individuals "The JPKI user's software (for Windows 7 and later)" Ver3.1 and earlier, The Public Certification Service for Individuals "The JPKI user's software (for Windows Vista)", The Public Certification Service for Individuals "The JPKI user's software" Ver2.6 and earlier that were available until April 27, 2017 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

Severity ?

No CVSS data available.

CWE

Untrusted search path vulnerability

Assigner

jpcert

References

URL

Tags

	https://www.jpki.go.jp/download/win.html#dl	x_refsource_MISC
	http://jvn.jp/en/jp/JVN39605485/index.html	third-party-advisoryx_refsource_JVN

Impacted products

Vendor

Product

Version

Japan Agency for Local Authority Information Systems

Installer for The Public Certification Service for Individuals "The JPKI user's software (for Windows 7 and later)"

Affected: Ver3.1 and earlier that was available until April 27, 2017

	Japan Agency for Local Authority Information Systems	Installer for The Public Certification Service for Individuals "The JPKI user's software (for Windows Vista)"	Affected: available until April 27, 2017
	Japan Agency for Local Authority Information Systems	Installer for The Public Certification Service for Individuals "The JPKI user's software"	Affected: Ver2.6 and earlier that was available until April 27, 2017

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:48:05.095Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.jpki.go.jp/download/win.html#dl"
          },
          {
            "name": "JVN#39605485",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "http://jvn.jp/en/jp/JVN39605485/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Installer for The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows 7 and later)\"",
          "vendor": "Japan Agency for Local Authority Information Systems",
          "versions": [
            {
              "status": "affected",
              "version": "Ver3.1 and earlier that was available until April 27, 2017"
            }
          ]
        },
        {
          "product": "Installer for The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows Vista)\"",
          "vendor": "Japan Agency for Local Authority Information Systems",
          "versions": [
            {
              "status": "affected",
              "version": "available until April 27, 2017"
            }
          ]
        },
        {
          "product": "Installer for The Public Certification Service for Individuals \"The JPKI user\u0027s software\"",
          "vendor": "Japan Agency for Local Authority Information Systems",
          "versions": [
            {
              "status": "affected",
              "version": "Ver2.6 and earlier that was available until April 27, 2017"
            }
          ]
        }
      ],
      "datePublic": "2017-05-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Untrusted search path vulnerability in installers for The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows 7 and later)\" Ver3.1 and earlier, The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows Vista)\", The Public Certification Service for Individuals \"The JPKI user\u0027s software\" Ver2.6 and earlier that were available until April 27, 2017 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Untrusted search path vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-05-12T17:57:01",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.jpki.go.jp/download/win.html#dl"
        },
        {
          "name": "JVN#39605485",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "http://jvn.jp/en/jp/JVN39605485/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2017-2157",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Installer for The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows 7 and later)\"",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Ver3.1 and earlier that was available until April 27, 2017"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Installer for The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows Vista)\"",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "available until April 27, 2017"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Installer for The Public Certification Service for Individuals \"The JPKI user\u0027s software\"",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Ver2.6 and earlier that was available until April 27, 2017"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Japan Agency for Local Authority Information Systems"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Untrusted search path vulnerability in installers for The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows 7 and later)\" Ver3.1 and earlier, The Public Certification Service for Individuals \"The JPKI user\u0027s software (for Windows Vista)\", The Public Certification Service for Individuals \"The JPKI user\u0027s software\" Ver2.6 and earlier that were available until April 27, 2017 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Untrusted search path vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jpki.go.jp/download/win.html#dl",
              "refsource": "MISC",
              "url": "https://www.jpki.go.jp/download/win.html#dl"
            },
            {
              "name": "JVN#39605485",
              "refsource": "JVN",
              "url": "http://jvn.jp/en/jp/JVN39605485/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2017-2157",
    "datePublished": "2017-05-12T18:00:00",
    "dateReserved": "2016-12-01T00:00:00",
    "dateUpdated": "2024-08-05T13:48:05.095Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-06948

CVE-2017-2157 (GCVE-0-2017-2157)

Tags

Sightings

Nomenclature