Headline
CVE-2022-34825: NV22-014_en: セキュリティ情報 | NEC
Uncontrolled Search Path Element in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.
Multiple vulnerabilities in EXPRESSCLUSTER X
Number:NV22-014
CVE:CVE-2022-34822, CVE-2022-34823, CVE-2022-34824, CVE-2022-34825
Overview
EXPRESSCLUSTER X contains multiple vulnerabilities.
Relative Path Traversal - CVE-2022-34822
Stack-based Buffer Overflow - CVE-2022-34823
Incorrect Default Permissions - CVE-2022-34824
Uncontrolled Search Path Element - CVE-2022-34825
Products Affected
EXPRESSCLUSTER X
Affected Version
EXPRESSCLUSTER X 1.0 for Windows
EXPRESSCLUSTER X 2.0 for Windows
EXPRESSCLUSTER X 2.1 for Windows
EXPRESSCLUSTER X 3.0 for Windows
EXPRESSCLUSTER X 3.1 for Windows
EXPRESSCLUSTER X 3.2 for Windows
EXPRESSCLUSTER X 3.3 for Windows
EXPRESSCLUSTER X 4.0 for Windows
EXPRESSCLUSTER X 4.1 for Windows
EXPRESSCLUSTER X 4.2 for Windows
EXPRESSCLUSTER X 4.3 for Windows
EXPRESSCLUSTER X 5.0 for Windows
EXPRESSCLUSTER X 1.0 SingleServerSafe for Windows
EXPRESSCLUSTER X 2.0 SingleServerSafe for Windows
EXPRESSCLUSTER X 2.1 SingleServerSafe for Windows
EXPRESSCLUSTER X 3.0 SingleServerSafe for Windows
EXPRESSCLUSTER X 3.1 SingleServerSafe for Windows
EXPRESSCLUSTER X 3.2 SingleServerSafe for Windows
EXPRESSCLUSTER X 3.3 SingleServerSafe for Windows
EXPRESSCLUSTER X 4.0 SingleServerSafe for Windows
EXPRESSCLUSTER X 4.1 SingleServerSafe for Windows
EXPRESSCLUSTER X 4.2 SingleServerSafe for Windows
EXPRESSCLUSTER X 4.3 SingleServerSafe for Windows
EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows
Solution
References
Credit
reported by Mr. Michael Heinzl. for NEC-PSIRT
Update