CVE-2022-36344 — CRITICAL (9.8)

Vulnerability Description

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Justsystems	Atok Medical 2	All versions
Justsystems	Atok Medical 3	All versions
Justsystems	Atok Pro 3	All versions
Justsystems	Atok Pro 4	All versions
Justsystems	Atok Pro 5	All versions
Justsystems	Hanako Police 5	All versions
Justsystems	Hanako Police 6	All versions
Justsystems	Hanako Police 7	All versions
Justsystems	Hanako Pro 3	All versions
Justsystems	Hanako Pro 4	All versions
Justsystems	Hanako Pro 5	All versions
Justsystems	Homepage Builder 20	All versions
Justsystems	Homepage Builder 21	All versions
Justsystems	Homepage Builder 22	All versions
Justsystems	Ichitaro Government 10	All versions
Justsystems	Ichitaro Government 8	-
Justsystems	Ichitaro Government 9	All versions
Justsystems	Ichitaro Pro 3	All versions
Justsystems	Ichitaro Pro 4	All versions
Justsystems	Ichitaro Pro 5	All versions

Related Weaknesses (CWE)

CWE-428

References

https://jvn.jp/en/jp/JVN57073973/index.htmlThird Party Advisory
https://www.justsystems.com/jp/corporate/info/js22001.htmlVendor Advisory
https://jvn.jp/en/jp/JVN57073973/index.htmlThird Party Advisory
https://www.justsystems.com/jp/corporate/info/js22001.htmlVendor Advisory

FAQ

What is CVE-2022-36344?

CVE-2022-36344 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affe...

How severe is CVE-2022-36344?

CVE-2022-36344 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-36344?

Check the references section above for vendor advisories and patch information. Affected products include: Justsystems Atok Medical 2, Justsystems Atok Medical 3, Justsystems Atok Pro 3, Justsystems Atok Pro 4, Justsystems Atok Pro 5.