CVE-2023-28394: Beekeeper Studio vulnerable to code injection

Published:2023/05/12 Last Updated:2023/05/12

Overview

Beekeeper Studio contains a code injection vulnerability.

Products Affected

• Beekeeper Studio versions prior to 3.9.9

Description

Beekeeper Studio provided by Beekeeper Studio, Inc. contains a code injection vulnerability (CWE-74).

Impact

A remote authenticated attacker may execute arbitrary JavaScript code with the privilege of the application on the PC where the affected product is installed. As a result, an arbitrary OS command may be executed as well.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer released Beekeeper Studio 3.9.9 that contains a fix for this vulnerability.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector(AV)

Physical §

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required ®

None (N)

Scope(S)

Unchanged (U)

Changed ©

Confidentiality Impact©

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:M/Au:S/C:P/I:P/A:P

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact©

None (N)

Partial §

Complete ©

Integrity Impact(I)

None (N)

Partial §

Complete ©

Availability Impact(A)

None (N)

Partial §

Complete ©

Credit

Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information