Search

Find a vulnerability

Search criteria

    3 vulnerabilities by SAISON INFORMATION SYSTEMS CO.,LTD.

    CVE-2023-28937 (GCVE-0-2023-28937)

    Vulnerability from nvd – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:27
    VLAI
    Summary
    DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References].
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Use of hard-coded cryptographic key
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.949Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.hulft.com/download_file/18675"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN38222042/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.justsystems.com/jp/services/actionista/info/20230519_001/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cs.wingarc.com/ja/download/000023565"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cs.wingarc.com/ja/download/000022448"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cs.wingarc.com/ja/download/000016244"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28937",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:26:50.996126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-798",
                    "description": "CWE-798 Use of Hard-coded Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:27:35.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DataSpider Servista",
              "vendor": "SAISON INFORMATION SYSTEMS CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.4 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References]."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Use of hard-coded cryptographic key",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-13T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.hulft.com/download_file/18675"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN38222042/"
            },
            {
              "url": "https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf"
            },
            {
              "url": "https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf"
            },
            {
              "url": "https://www.justsystems.com/jp/services/actionista/info/20230519_001/"
            },
            {
              "url": "https://cs.wingarc.com/ja/download/000023565"
            },
            {
              "url": "https://cs.wingarc.com/ja/download/000022448"
            },
            {
              "url": "https://cs.wingarc.com/ja/download/000016244"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28937",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:27:35.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28937 (GCVE-0-2023-28937)

    Vulnerability from cvelistv5 – Published: 2023-06-01 00:00 – Updated: 2025-01-09 19:27
    VLAI
    Summary
    DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References].
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Use of hard-coded cryptographic key
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.949Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.hulft.com/download_file/18675"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN38222042/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.justsystems.com/jp/services/actionista/info/20230519_001/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cs.wingarc.com/ja/download/000023565"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cs.wingarc.com/ja/download/000022448"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://cs.wingarc.com/ja/download/000016244"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28937",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:26:50.996126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-798",
                    "description": "CWE-798 Use of Hard-coded Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:27:35.450Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DataSpider Servista",
              "vendor": "SAISON INFORMATION SYSTEMS CO.,LTD.",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.4 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References]."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Use of hard-coded cryptographic key",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-13T00:00:00.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.hulft.com/download_file/18675"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN38222042/"
            },
            {
              "url": "https://www.hulft.com/application/files/4416/8420/4506/information_20230519_2_en.pdf"
            },
            {
              "url": "https://www.terrasky.co.jp/files/DCSpider_ScriptRunnerVulnerability.pdf"
            },
            {
              "url": "https://www.justsystems.com/jp/services/actionista/info/20230519_001/"
            },
            {
              "url": "https://cs.wingarc.com/ja/download/000023565"
            },
            {
              "url": "https://cs.wingarc.com/ja/download/000022448"
            },
            {
              "url": "https://cs.wingarc.com/ja/download/000016244"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-28937",
        "datePublished": "2023-06-01T00:00:00.000Z",
        "dateReserved": "2023-05-11T00:00:00.000Z",
        "dateUpdated": "2025-01-09T19:27:35.450Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    JVNDB-2023-000052

    Vulnerability from jvndb - Published: 2023-05-31 15:34 - Updated:2024-03-19 17:44
    Severity
    Summary
    DataSpider Servista uses a hard-coded cryptographic key
    Details
    DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321). Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000052.html",
      "dc:date": "2024-03-19T17:44+09:00",
      "dcterms:issued": "2023-05-31T15:34+09:00",
      "dcterms:modified": "2024-03-19T17:44+09:00",
      "description": "DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista.\r\nThe cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321).\r\n\r\nSato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000052.html",
      "sec:cpe": {
        "#text": "cpe:/a:saison:dataspider_servista",
        "@product": "DataSpider Servista",
        "@vendor": "SAISON INFORMATION SYSTEMS CO.,LTD.",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "5.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "@version": "2.0"
        },
        {
          "@score": "5.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2023-000052",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN38222042/index.html",
          "@id": "JVN#38222042",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-28937",
          "@id": "CVE-2023-28937",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-28937",
          "@id": "CVE-2023-28937",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "DataSpider Servista uses a hard-coded cryptographic key"
    }