CVE-2022-36344

CRITICAL

JustSystems JUST Online Update for J-License - Path Traversal

Title source: llm

Description

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

References (2)

[Vendor Advisory] https://www.justsystems.com/jp/corporate/info/js22001.html

[Third Party Advisory] https://jvn.jp/en/jp/JVN57073973/index.html

Scores

CVSS v3 9.8

EPSS 0.0071

EPSS Percentile 72.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-428

Status published

Products (49)

justsystems/atok_medical_2

justsystems/atok_medical_3

justsystems/atok_pro_3

justsystems/atok_pro_4

justsystems/atok_pro_5

justsystems/hanako_police_5

justsystems/hanako_police_6

justsystems/hanako_police_7

justsystems/hanako_pro_3

justsystems/hanako_pro_4

... and 39 more

Published Aug 16, 2022

Tracked Since Feb 18, 2026