Vulnerability-Lookup - Search a vulnerability

Vulnerabilites related to Kingsoft Office Software, Inc. - WPS Office

jvndb-2022-001387

Vulnerability from jvndb

Published

2022-03-09 12:30

Modified

2024-06-21 11:37

Severity ?

7.8 (High) - cvssV3_0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Installer of WPS Office for Windows misconfigures the ACL for the installation directory

Details

Installer of WPS Office for Windows misconfigures the ACL for the installation directory. When WPS Office for Windows is installed, some service program is registered to the OS, which is invoked with some administrative privilege. The installer fails to configure properly the ACL for the directory where the service program is installed (CWE-276). Mohammed Hadi reported this vulnerability to the vendor and JPCERT/CC. JPCERT/CC coordinated with the developer.

References

▼	Type	URL
	JVN	https://jvn.jp/en/vu/JVNVU90673830/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2022-259434
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-25943
	Related document	https://github.com/HadiMed/KINGSOFT-WPS-Office-LPE
	Incorrect Default Permissions(CWE-276)	https://cwe.mitre.org/data/definitions/276.html

Impacted products

▼	Vendor	Product
	Kingsoft Office Software, Inc.	WPS Office

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001387.html",
  "dc:date": "2024-06-21T11:37+09:00",
  "dcterms:issued": "2022-03-09T12:30+09:00",
  "dcterms:modified": "2024-06-21T11:37+09:00",
  "description": "Installer of WPS Office for Windows misconfigures the ACL for the installation directory.\r\n\r\nWhen WPS Office for Windows is installed, some service program is registered to the OS, which is invoked with some administrative privilege.\r\nThe installer fails to configure properly the ACL for the directory where the service program is installed (CWE-276).\r\n\r\nMohammed Hadi reported this vulnerability to the vendor and JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
  "link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-001387.html",
  "sec:cpe": {
    "#text": "cpe:/a:kingsoft:wps_office",
    "@product": "WPS Office",
    "@vendor": "Kingsoft Office Software, Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "4.3",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "7.8",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2022-001387",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/vu/JVNVU90673830/index.html",
      "@id": "JVNVU#90673830",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2022-259434",
      "@id": "CVE-2022-25943",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-25943",
      "@id": "CVE-2022-25943",
      "@source": "NVD"
    },
    {
      "#text": "https://github.com/HadiMed/KINGSOFT-WPS-Office-LPE",
      "@id": "GitHub / HadiMed / KINGSOFT-WPS-Office-LPE",
      "@source": "Related document"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/276.html",
      "@id": "CWE-276",
      "@title": "Incorrect Default Permissions(CWE-276)"
    }
  ],
  "title": "Installer of WPS Office for Windows misconfigures the ACL for the installation directory"
}