Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-36344

Summary
Assigner-jpcert
Assigner Org ID-ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At-16 Aug, 2022 | 07:03
Updated At-03 Aug, 2024 | 10:00
Rejected At-
Credits

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:jpcert
Assigner Org ID:ede6fdc4-6654-4307-a26d-3331c018e2ce
Published At:16 Aug, 2022 | 07:03
Updated At:03 Aug, 2024 | 10:00
Rejected At:
▼CVE Numbering Authority (CNA)

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

Affected Products
Vendor
JustSystems Corporation
Product
JustSystems JUST Online Update for J-License'
Versions
Affected
  • JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others
Problem Types
TypeCWE IDDescription
textN/AUnquoted Search Path or Element
Type: text
CWE ID: N/A
Description: Unquoted Search Path or Element
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.justsystems.com/jp/corporate/info/js22001.html
x_refsource_MISC
https://jvn.jp/en/jp/JVN57073973/index.html
x_refsource_MISC
Hyperlink: https://www.justsystems.com/jp/corporate/info/js22001.html
Resource:
x_refsource_MISC
Hyperlink: https://jvn.jp/en/jp/JVN57073973/index.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.justsystems.com/jp/corporate/info/js22001.html
x_refsource_MISC
x_transferred
https://jvn.jp/en/jp/JVN57073973/index.html
x_refsource_MISC
x_transferred
Hyperlink: https://www.justsystems.com/jp/corporate/info/js22001.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://jvn.jp/en/jp/JVN57073973/index.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vultures@jpcert.or.jp
Published At:16 Aug, 2022 | 08:15
Updated At:23 Aug, 2022 | 16:02

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
justsystems
justsystems
>>atok_medical_2>>*
cpe:2.3:a:justsystems:atok_medical_2:*:*:*:*:*:windows:*:*
justsystems
justsystems
>>atok_medical_3>>*
cpe:2.3:a:justsystems:atok_medical_3:*:*:*:*:*:windows:*:*
justsystems
justsystems
>>atok_pro_3>>*
cpe:2.3:a:justsystems:atok_pro_3:*:*:*:*:*:windows:*:*
justsystems
justsystems
>>atok_pro_4>>*
cpe:2.3:a:justsystems:atok_pro_4:*:*:*:*:*:windows:*:*
justsystems
justsystems
>>atok_pro_5>>*
cpe:2.3:a:justsystems:atok_pro_5:*:*:*:*:*:windows:*:*
justsystems
justsystems
>>hanako_police_5>>*
cpe:2.3:a:justsystems:hanako_police_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>hanako_police_6>>*
cpe:2.3:a:justsystems:hanako_police_6:*:*:*:*:*:*:*:*
justsystems
justsystems
>>hanako_police_7>>*
cpe:2.3:a:justsystems:hanako_police_7:*:*:*:*:*:*:*:*
justsystems
justsystems
>>hanako_pro_3>>*
cpe:2.3:a:justsystems:hanako_pro_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>hanako_pro_4>>*
cpe:2.3:a:justsystems:hanako_pro_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>hanako_pro_5>>*
cpe:2.3:a:justsystems:hanako_pro_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>homepage_builder_20>>*
cpe:2.3:a:justsystems:homepage_builder_20:*:*:*:*:*:*:*:*
justsystems
justsystems
>>homepage_builder_21>>*
cpe:2.3:a:justsystems:homepage_builder_21:*:*:*:*:*:*:*:*
justsystems
justsystems
>>homepage_builder_22>>*
cpe:2.3:a:justsystems:homepage_builder_22:*:*:*:*:*:*:*:*
justsystems
justsystems
>>ichitaro_government_10>>*
cpe:2.3:a:justsystems:ichitaro_government_10:*:*:*:*:*:*:*:*
justsystems
justsystems
>>ichitaro_government_8>>-
cpe:2.3:a:justsystems:ichitaro_government_8:-:*:*:*:*:*:*:*
justsystems
justsystems
>>ichitaro_government_9>>*
cpe:2.3:a:justsystems:ichitaro_government_9:*:*:*:*:*:*:*:*
justsystems
justsystems
>>ichitaro_pro_3>>*
cpe:2.3:a:justsystems:ichitaro_pro_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>ichitaro_pro_4>>*
cpe:2.3:a:justsystems:ichitaro_pro_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>ichitaro_pro_5>>*
cpe:2.3:a:justsystems:ichitaro_pro_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_calc_3>>*
cpe:2.3:a:justsystems:just_calc_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_calc_4>>*
cpe:2.3:a:justsystems:just_calc_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_calc_5>>*
cpe:2.3:a:justsystems:just_calc_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_focus_3>>*
cpe:2.3:a:justsystems:just_focus_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_focus_4>>*
cpe:2.3:a:justsystems:just_focus_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_frontier_3>>*
cpe:2.3:a:justsystems:just_frontier_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_government_2>>*
cpe:2.3:a:justsystems:just_government_2:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_government_3>>*
cpe:2.3:a:justsystems:just_government_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_government_4>>*
cpe:2.3:a:justsystems:just_government_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_government_5>>*
cpe:2.3:a:justsystems:just_government_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_jump_8>>*
cpe:2.3:a:justsystems:just_jump_8:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_jump_class>>*
cpe:2.3:a:justsystems:just_jump_class:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_jump_class_2>>*
cpe:2.3:a:justsystems:just_jump_class_2:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_medical_2>>*
cpe:2.3:a:justsystems:just_medical_2:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_medical_3>>*
cpe:2.3:a:justsystems:just_medical_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_medical_4>>*
cpe:2.3:a:justsystems:just_medical_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_medical_5>>*
cpe:2.3:a:justsystems:just_medical_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_note_3>>*
cpe:2.3:a:justsystems:just_note_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_note_4>>*
cpe:2.3:a:justsystems:just_note_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_note_5>>*
cpe:2.3:a:justsystems:just_note_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_office_2>>*
cpe:2.3:a:justsystems:just_office_2:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_office_3>>*
cpe:2.3:a:justsystems:just_office_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_office_4>>*
cpe:2.3:a:justsystems:just_office_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_office_5>>*
cpe:2.3:a:justsystems:just_office_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_pdf_3>>*
cpe:2.3:a:justsystems:just_pdf_3:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_pdf_4>>*
cpe:2.3:a:justsystems:just_pdf_4:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_pdf_5>>*
cpe:2.3:a:justsystems:just_pdf_5:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_pdf_5>>*
cpe:2.3:a:justsystems:just_pdf_5:*:*:*:*:pro:*:*:*
justsystems
justsystems
>>just_police_2>>*
cpe:2.3:a:justsystems:just_police_2:*:*:*:*:*:*:*:*
justsystems
justsystems
>>just_police_3>>*
cpe:2.3:a:justsystems:just_police_3:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-428Primarynvd@nist.gov
CWE ID: CWE-428
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://jvn.jp/en/jp/JVN57073973/index.htmlvultures@jpcert.or.jp
Third Party Advisory
https://www.justsystems.com/jp/corporate/info/js22001.htmlvultures@jpcert.or.jp
Vendor Advisory
Hyperlink: https://jvn.jp/en/jp/JVN57073973/index.html
Source: vultures@jpcert.or.jp
Resource:
Third Party Advisory
Hyperlink: https://www.justsystems.com/jp/corporate/info/js22001.html
Source: vultures@jpcert.or.jp
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2019-17658
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.34%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 21:26
Updated-25 Oct, 2024 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unquoted service path vulnerability in the FortiClient FortiTray component of FortiClientWindows v6.2.2 and prior allow an attacker to gain elevated privileges via the FortiClientConsole executable service path.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientFortinet FortiClientWindows
CWE ID-CWE-428
Unquoted Search Path or Element
CVE-2023-38408
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-73.01% / 98.73%
||
7 Day CHG~0.00%
Published-20 Jul, 2023 | 00:00
Updated-15 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Action-Not Available
Vendor-n/aOpenBSDFedora Project
Product-fedoraopensshn/a
CWE ID-CWE-428
Unquoted Search Path or Element
CVE-2020-14521
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.3||HIGH
EPSS-0.24% / 47.41%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-16 Apr, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mitsubishi Electric Factory Automation Engineering Products Unquoted Search Path or Element

Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-melsoft_complete_clean_up_toolgot1000_series_gt10network_interface_board_cc_ie_control_utility_firmwaregot1000_series_gt12fr_configurator_sw3motorizergx_works3got1000_series_gt25gt_designer3network_interface_board_mneth_utility_firmwarecc-link_ie_tsn_data_collectorgot1000_series_gt15network_interface_board_cc-link_ver.2_utility_firmwarec_controller_interface_module_utilitysetting\/monitoring_tools_for_the_c_controller_modulegot1000_series_gt23data_transferezsocketm_commdtm-io-linkmx_mesinterface-rgot1000_series_gt27gt_softgot1000melsoft_em_software_development_kitc_controller_module_setting_and_monitoring_toolcc-link_ie_control_network_data_collectorrt_toolbox3position_board_utility_2fr_configurator2mtconnect_data_collectormx_componentmelfa-worksmelsoft_iq_appportalgot1000_series_gt14network_interface_board_cc_ie_field_utility_firmwarenetwork_interface_board_cc_ie_control_utilitygx_logviewermt_works2mx_mesinterfacecc-link_ie_field_network_data_collectormotion_control_settingpx_developerslmp_data_collectormx_sheetcw_configuratornetwork_interface_board_mneth_utilitycpu_module_logging_configuration_toolgt_designer2_classicmelsec_wincpu_setting_utilitymelsoft_navigatorgt_softgot2000got1000_series_gt21network_interface_board_cc-link_ver.2_utilitynetwork_interface_board_cc_ie_field_utilitygx_works2mr_configurator2got1000_series_gt16mi_configuratorrt_toolbox2got1000_series_gt11gx_developerGT Designer3 Version1 (GOT1000)GX LogViewerMI ConfiguratorCC-Link IE TSN Data CollectorFR Configurator SW3CC-Link IE Control Network Data CollectorMX MESInterfaceMotorizerNetwork Interface Board CC IE Field UtilityData TransferMELSOFT EM Software Development KitCC-Link IE Field Network Data CollectorMELSOFT iQ AppPortalMT Works2RT ToolBox2MR Configurator2MX SheetMotion Control SettingEZSocketNetwork Interface Board CC IE Control UtilityGX Works2CPU Module Logging Configuration ToolGX DeveloperPX DeveloperGT SoftGOT2000 Version1GT Designer3 Version1 (GOT2000)GT SoftGOT1000 Version3GX Works3RT ToolBox3MELSOFT NavigatorM_CommDTM-IO-LinkNetwork Interface Board MNETH UtilityFR Configurator2MELSOFT Complete Clean Up ToolSLMP Data CollectorCW ConfiguratorMELFA-WorksSetting/Monitoring tools for the C Controller moduleMELSEC WinCPU Setting UtilityMTConnect Data CollectorC Controller Interface Module UtilityGT Designer2 ClassicMX ComponentMX MESInterface-RPosition Board utility 2Network Interface Board CC-Link Ver.2 Utility
CWE ID-CWE-428
Unquoted Search Path or Element
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-9292
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 65.10%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 12:41
Updated-25 Oct, 2024 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortisiem_windows_agentFortinet FortiSIEMWindowsAgent
CWE ID-CWE-428
Unquoted Search Path or Element
Details not found