Strix
26.1K

CVE-2022-36344

CRITICALCVSS 9.8/10EPSS 0.74%

Last modified

CVE-2022-36344 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. EPSS estimates a 0.74% chance of exploitation in the next 30 days.

Description

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.74%

49.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
JustsystemsAtok Medical 2All versions
JustsystemsAtok Medical 3All versions
JustsystemsAtok Pro 3All versions
JustsystemsAtok Pro 4All versions
JustsystemsAtok Pro 5All versions
JustsystemsHanako Police 5All versions
JustsystemsHanako Police 6All versions
JustsystemsHanako Police 7All versions
JustsystemsHanako Pro 3All versions
JustsystemsHanako Pro 4All versions
JustsystemsHanako Pro 5All versions
JustsystemsHomepage Builder 20All versions
JustsystemsHomepage Builder 21All versions
JustsystemsHomepage Builder 22All versions
JustsystemsIchitaro Government 10All versions
JustsystemsIchitaro Government 8All versions
JustsystemsIchitaro Government 9All versions
JustsystemsIchitaro Pro 3All versions
JustsystemsIchitaro Pro 4All versions
JustsystemsIchitaro Pro 5All versions
JustsystemsJust Calc 3All versions
JustsystemsJust Calc 4All versions
JustsystemsJust Calc 5All versions
JustsystemsJust Focus 3All versions
JustsystemsJust Focus 4All versions
JustsystemsJust Frontier 3All versions
JustsystemsJust Government 2All versions
JustsystemsJust Government 3All versions
JustsystemsJust Government 4All versions
JustsystemsJust Government 5All versions
JustsystemsJust Jump 8All versions
JustsystemsJust Jump ClassAll versions
JustsystemsJust Jump Class 2All versions
JustsystemsJust Medical 2All versions
JustsystemsJust Medical 3All versions
JustsystemsJust Medical 4All versions
JustsystemsJust Medical 5All versions
JustsystemsJust Note 3All versions
JustsystemsJust Note 4All versions
JustsystemsJust Note 5All versions
JustsystemsJust Office 2All versions
JustsystemsJust Office 3All versions
JustsystemsJust Office 4All versions
JustsystemsJust Office 5All versions
JustsystemsJust Pdf 3All versions
JustsystemsJust Pdf 4All versions
JustsystemsJust Pdf 5All versions
JustsystemsJust Police 2All versions
JustsystemsJust Police 3All versions
JustsystemsJust Police 4All versions

Showing 50 of 60 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-36344?
An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.
How severe is CVE-2022-36344?
CVE-2022-36344 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.74% probability of exploitation in the next 30 days.
How do I fix CVE-2022-36344?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-36344?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST