Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2022-36344

Unquoted Search Path or Element

Published: Aug 16, 2022 | Modified: Aug 23, 2022
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-36344
CWEhttps://cwe.mitre.org/data/definitions/428.html

An unquoted search path vulnerability exists in JustSystems JUST Online Update for J-License bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

Weakness

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

Affected Software

Name Vendor Start Version End Version
Atok_medical_2 Justsystems * *
Atok_medical_3 Justsystems * *
Atok_pro_3 Justsystems * *
Atok_pro_4 Justsystems * *
Atok_pro_5 Justsystems * *
Hanako_police_5 Justsystems * *
Hanako_police_6 Justsystems * *
Hanako_police_7 Justsystems * *
Hanako_pro_3 Justsystems * *
Hanako_pro_4 Justsystems * *
Hanako_pro_5 Justsystems * *
Homepage_builder_20 Justsystems * *
Homepage_builder_21 Justsystems * *
Homepage_builder_22 Justsystems * *
Ichitaro_government_10 Justsystems * *
Ichitaro_government_8 Justsystems - (including) - (including)
Ichitaro_government_9 Justsystems * *
Ichitaro_pro_3 Justsystems * *
Ichitaro_pro_4 Justsystems * *
Ichitaro_pro_5 Justsystems * *
Just_calc_3 Justsystems * *
Just_calc_4 Justsystems * *
Just_calc_5 Justsystems * *
Just_focus_3 Justsystems * *
Just_focus_4 Justsystems * *
Just_frontier_3 Justsystems * *
Just_government_2 Justsystems * *
Just_government_3 Justsystems * *
Just_government_4 Justsystems * *
Just_government_5 Justsystems * *
Just_jump_8 Justsystems * *
Just_jump_class Justsystems * *
Just_jump_class_2 Justsystems * *
Just_medical_2 Justsystems * *
Just_medical_3 Justsystems * *
Just_medical_4 Justsystems * *
Just_medical_5 Justsystems * *
Just_note_3 Justsystems * *
Just_note_4 Justsystems * *
Just_note_5 Justsystems * *
Just_office_2 Justsystems * *
Just_office_3 Justsystems * *
Just_office_4 Justsystems * *
Just_office_5 Justsystems * *
Just_pdf_3 Justsystems * *
Just_pdf_4 Justsystems * *
Just_pdf_5 Justsystems * *
Just_police_2 Justsystems * *
Just_police_3 Justsystems * *
Just_police_4 Justsystems * *
Just_police_5 Justsystems * *
Just_school_6 Justsystems * *
Just_school_7 Justsystems * *
Just_smile_6 Justsystems * *
Just_smile_7 Justsystems * *
Just_smile_8 Justsystems * *
Just_smile_class_2 Justsystems * *
Shuriken_pro_6 Justsystems * *
Shuriken_pro_7 Justsystems * *
Tri-de_dataprotect Justsystems * *

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use