CVE-2019-17327 - OpenCVE

JEUS 7 Fix#0~5 and JEUS 8Fix#0~1 versions contains a directory traversal vulnerability caused by improper input parameter check when uploading installation file in administration web page. That leads remote attacker to execute arbitrary code via uploaded file.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Tmaxsoft	Jeus

Configuration 1 [-]

OR	cpe:2.3:a:tmaxsoft:jeus:7:fix_0::::::
	cpe:2.3:a:tmaxsoft:jeus:7:fix_5::::::
	cpe:2.3:a:tmaxsoft:jeus:8:fix_0::::::
	cpe:2.3:a:tmaxsoft:jeus:8:fix_1::::::

References

Link	Resource
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35197	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: krcert

Published: 2019-11-08T17:54:05

Updated: 2019-11-08T17:54:05

Reserved: 2019-10-07T00:00:00

Link: CVE-2019-17327

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-11-08T18:15:13.467

Modified: 2019-11-13T20:47:04.447

Link: CVE-2019-17327

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "JEUS", "vendor": "TmaxSoft", "versions": [{"status": "affected", "version": "JEUS 7 Fix#0~5, JEUS 8Fix#0~1"}]}], "descriptions": [{"lang": "en", "value": "JEUS 7 Fix#0~5 and JEUS 8Fix#0~1 versions contains a directory traversal vulnerability caused by improper input parameter check when uploading installation file in administration web page. That leads remote attacker to execute arbitrary code via uploaded file."}], "problemTypes": [{"descriptions": [{"description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-08T17:54:05", "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "shortName": "krcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35197"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2019-17327", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "JEUS", "version": {"version_data": [{"version_value": "JEUS 7 Fix#0~5, JEUS 8Fix#0~1"}]}}]}, "vendor_name": "TmaxSoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "JEUS 7 Fix#0~5 and JEUS 8Fix#0~1 versions contains a directory traversal vulnerability caused by improper input parameter check when uploading installation file in administration web page. That leads remote attacker to execute arbitrary code via uploaded file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35197", "refsource": "MISC", "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35197"}]}}}}, "cveMetadata": {"assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "assignerShortName": "krcert", "cveId": "CVE-2019-17327", "datePublished": "2019-11-08T17:54:05", "dateReserved": "2019-10-07T00:00:00", "dateUpdated": "2019-11-08T17:54:05", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tmaxsoft:jeus:7:fix_0:*:*:*:*:*:*", "matchCriteriaId": "30A1BF9A-C29E-420A-AF80-E6AAB1F54D91", "vulnerable": true}, {"criteria": "cpe:2.3:a:tmaxsoft:jeus:7:fix_5:*:*:*:*:*:*", "matchCriteriaId": "3EAD3E3A-BD44-4A40-B338-E2A0B73A11EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:tmaxsoft:jeus:8:fix_0:*:*:*:*:*:*", "matchCriteriaId": "F1B87C92-273A-43E5-AF78-E2E5F92AA4ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:tmaxsoft:jeus:8:fix_1:*:*:*:*:*:*", "matchCriteriaId": "394242F2-D8AF-420C-AFEC-C350F083B2E9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JEUS 7 Fix#0~5 and JEUS 8Fix#0~1 versions contains a directory traversal vulnerability caused by improper input parameter check when uploading installation file in administration web page. That leads remote attacker to execute arbitrary code via uploaded file."}, {"lang": "es", "value": "Las versiones JEUS 7 Fix#0~5 y JEUS 8 Fix#0~1, contienen una vulnerabilidad de salto de directorio causada por una comprobaci\u00f3n inapropiada de los par\u00e1metros de entrada cuando se actualiza el archivo de instalaci\u00f3n en la p\u00e1gina web de administraci\u00f3n. Esto conlleva al atacante remoto a ejecutar c\u00f3digo arbitrario por medio del archivo cargado."}], "id": "CVE-2019-17327", "lastModified": "2019-11-13T20:47:04.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-08T18:15:13.467", "references": [{"source": "vuln@krcert.or.kr", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35197"}], "sourceIdentifier": "vuln@krcert.or.kr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}