PT-2021-14179 · Fujitsu · Software Download Installer+1
Yuji Tounai
·
Published
2021-05-24
·
Updated
2022-05-03
·
CVE-2021-20722
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
ScanSnap Manager versions prior to V7.0L20
Software Download Installer versions prior to WinSSInst2JP.exe and WinSSInst2iX1500JP.exe
Description:
The issue allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory. This is due to an untrusted search path vulnerability in the installers.
Recommendations:
For ScanSnap Manager versions prior to V7.0L20, update to version V7.0L20 or later to resolve the issue.
For Software Download Installer versions prior to WinSSInst2JP.exe and WinSSInst2iX1500JP.exe, update to WinSSInst2JP.exe and WinSSInst2iX1500JP.exe or later to resolve the issue.
As a temporary workaround, consider restricting access to the installer to minimize the risk of exploitation.
Fix
Uncontrolled Search Path Element
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Scansnap Manager
Software Download Installer