Headline
CVE-2022-42496: JVN#56968681: Multiple vulnerabilities in nadesiko3
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.
Published:2022/10/20 Last Updated:2022/10/28
Overview
Nadesiko3 provided by kujirahand contains multiple vulnerabilities.
Products Affected
CVE-2022-41642
- Nadesiko3 (PC Version) v3.3.68 and earlier
CVE-2022-41777, CVE-2022-42496
- Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier
Description
Nadesiko3 provided by kujirahand contains multiple vulnerabilities listed below.
OS command injection vulnerability in processing compression and decompression (CWE-78) - CVE-2022-41642
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8
CVSS v2
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score: 7.5
Improper check or handling of exceptional conditions in nako3edit (CWE-703) - CVE-2022-41777
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score: 5.3
CVSS v2
AV:N/AC:L/Au:N/C:N/I:N/A:P
Base Score: 5.0
OS command injection vulnerability via “file” parameter in nako3edit (CWE-78) - CVE-2022-42496
CVSS v3
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.1
CVSS v2
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Impact
- An arbitrary OS command may be executed on the product if compression and/or decompression is executed - CVE-2022-41642
- Injecting an invalid value to decodeURIComponent of nako3edit may lead the server to crash - CVE-2022-41777
- An arbitrary OS command may be executed on the product via “file” parameter in nako3edit if appkey of the product is obtained by the remote unauthenticated attacker - CVE-2022-42496
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
Vendor
Status
Last Update
Vendor Notes
kujirahand
Vulnerable
2022/10/28
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Satoki Tsuji reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
Update History
2022/10/28
Information under [Products Affected] was updated.
Related news
Nako3edit is the editor component of Nadeshiko 3, a programming language developed based on Japanese. Improper check or handling of exceptional conditions in Nako3edit v3.3.74 and earlier allows a remote attacker to inject an invalid value to decodeURIComponent of nako3edit, which may lead the server to crash.
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.
OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.68 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product. Release notes for versions 3.3.62 and 3.3.69 both link to patches for this particular issue. The [JPCERT/CC](https://jvn.jp/en/jp/JVN56968681/index.html) advisory lists versions 3.3.68 and prior as vulnerable, and the most recent patch for this issue is tagged with version 3.3.69.