CVE-2022-36344

high-risk

Published 2022-08-16

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

Do I need to act?

0.71% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Atok Medical 2

Atok Medical 3

Atok Pro 3

Atok Pro 4

Atok Pro 5

Hanako Police 5

Hanako Police 6

Hanako Police 7

Hanako Pro 3

Hanako Pro 4

Hanako Pro 5

Homepage Builder 20

Homepage Builder 21

Homepage Builder 22

Ichitaro Government 10

Ichitaro Government 8

Ichitaro Government 9

Ichitaro Pro 3

Ichitaro Pro 4

Ichitaro Pro 5

Affected Vendors

Justsystems

References (4)

Third Party Advisory https://jvn.jp/en/jp/JVN57073973/index.html

Vendor Advisory https://www.justsystems.com/jp/corporate/info/js22001.html

Third Party Advisory https://jvn.jp/en/jp/JVN57073973/index.html

Vendor Advisory https://www.justsystems.com/jp/corporate/info/js22001.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 27/34 · High