Vulnerability-Lookup - Search a vulnerability

Refine your search

Product

Sort by

Order

Sources

1 vulnerability found for winsparkle by winsparkle

jvndb-2016-000251

Vulnerability from jvndb

Published

2016-12-26 14:45

Modified

2018-02-16 16:00

Severity ?

3.6 (Low) - cvssV3_0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

Summary

WinSparkle issue where registry value is not validated

Details

When an application that uses WinSparkle is launched, it checks the directory used by WinSparkle for temporary files and deletes any temporary files. This directory path is specified in a registry key. In a situation where an attacker has modified the specific registry value used by this library, and a user launches an application that uses WinSparkle, an unintended directory or file may be deleted. Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this issue to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN96681653/
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7838
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-7838
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

WinSparkle

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000251.html",
  "dc:date": "2018-02-16T16:00+09:00",
  "dcterms:issued": "2016-12-26T14:45+09:00",
  "dcterms:modified": "2018-02-16T16:00+09:00",
  "description": "When an application that uses WinSparkle is launched, it checks the directory used by WinSparkle for temporary files and deletes any temporary files. This directory path is specified in a registry key.\r\n\r\nIn a situation where an attacker has modified the specific registry value used by this library, and a user launches an application that uses WinSparkle, an unintended directory or file may be deleted.\r\n\r\nTakashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this issue to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000251.html",
  "sec:cpe": {
    "#text": "cpe:/a:winsparkle:winsparkle",
    "@product": "WinSparkle",
    "@vendor": "WinSparkle",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "4.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "3.6",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2016-000251",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN96681653/",
      "@id": "JVN#96681653",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7838",
      "@id": "CVE-2016-7838",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-7838",
      "@id": "CVE-2016-7838",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "WinSparkle issue where registry value is not validated"
}