CVE-2023-25953: LINE WORKS Drive Explorer vulnerable to code injection

Published:2023/05/08 Last Updated:2023/05/09

Overview

LINE WORKS Drive Explorer contains a code injection vulnerability.

Products Affected

• Drive Explorer for macOS versions 3.5.4 and earlier

Description

LINE WORKS Drive Explorer provided by WORKS MOBILE Japan Corp. contains a code injection vulnerability (CWE-94).

Impact

An attacker who can login to the client where the affected product is installed may inject arbitrary code while processing the product execution. Since a full disk access privilege is required to execute LINE WORKS Drive Explorer, the attacker may be able to read and/or write to arbitrary files without the access privileges.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector(AV)

Physical §

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required ®

None (N)

Scope(S)

Unchanged (U)

Changed ©

Confidentiality Impact©

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:N/C:C/I:C/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact©

None (N)

Partial §

Complete ©

Integrity Impact(I)

None (N)

Partial §

Complete ©

Availability Impact(A)

None (N)

Partial §

Complete ©

Credit

Koh M. Nakagawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

Update History

2023/05/09

Information under the section [Products Affected] was updated.