Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-36344

An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed with the privilege of the Windows service if it is placed in a certain path. Affected products are bundled with the following product series: Office and Office Integrated Software, ATOK, Hanako, JUST PDF, Shuriken, Homepage Builder, JUST School, JUST Smile Class, JUST Smile, JUST Frontier, JUST Jump, and Tri-De DetaProtect.

Security Impact Summary

This vulnerability carries a CRITICAL severity rating with a CVSS v3.1 score of 9.8, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), and availability (service disruption) for affected systems. Impacting 60 products from justsystems, from justsystems, from justsystems and 57 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2022, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2022-08-16T08:15:09.157

Last Modified

2024-11-21T07:12:49.830

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-428

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	justsystems	atok_medical_2	*	Yes
Application	justsystems	atok_medical_3	*	Yes
Application	justsystems	atok_pro_3	*	Yes
Application	justsystems	atok_pro_4	*	Yes
Application	justsystems	atok_pro_5	*	Yes
Application	justsystems	hanako_police_5	*	Yes
Application	justsystems	hanako_police_6	*	Yes
Application	justsystems	hanako_police_7	*	Yes
Application	justsystems	hanako_pro_3	*	Yes
Application	justsystems	hanako_pro_4	*	Yes
Application	justsystems	hanako_pro_5	*	Yes
Application	justsystems	homepage_builder_20	*	Yes
Application	justsystems	homepage_builder_21	*	Yes
Application	justsystems	homepage_builder_22	*	Yes
Application	justsystems	ichitaro_government_10	*	Yes
Application	justsystems	ichitaro_government_8	-	Yes
Application	justsystems	ichitaro_government_9	*	Yes
Application	justsystems	ichitaro_pro_3	*	Yes
Application	justsystems	ichitaro_pro_4	*	Yes
Application	justsystems	ichitaro_pro_5	*	Yes
Application	justsystems	just_calc_3	*	Yes
Application	justsystems	just_calc_4	*	Yes
Application	justsystems	just_calc_5	*	Yes
Application	justsystems	just_focus_3	*	Yes
Application	justsystems	just_focus_4	*	Yes
Application	justsystems	just_frontier_3	*	Yes
Application	justsystems	just_government_2	*	Yes
Application	justsystems	just_government_3	*	Yes
Application	justsystems	just_government_4	*	Yes
Application	justsystems	just_government_5	*	Yes
Application	justsystems	just_jump_8	*	Yes
Application	justsystems	just_jump_class	*	Yes
Application	justsystems	just_jump_class_2	*	Yes
Application	justsystems	just_medical_2	*	Yes
Application	justsystems	just_medical_3	*	Yes
Application	justsystems	just_medical_4	*	Yes
Application	justsystems	just_medical_5	*	Yes
Application	justsystems	just_note_3	*	Yes
Application	justsystems	just_note_4	*	Yes
Application	justsystems	just_note_5	*	Yes
Application	justsystems	just_office_2	*	Yes
Application	justsystems	just_office_3	*	Yes
Application	justsystems	just_office_4	*	Yes
Application	justsystems	just_office_5	*	Yes
Application	justsystems	just_pdf_3	*	Yes
Application	justsystems	just_pdf_4	*	Yes
Application	justsystems	just_pdf_5	*	Yes
Application	justsystems	just_pdf_5	*	Yes
Application	justsystems	just_police_2	*	Yes
Application	justsystems	just_police_3	*	Yes
Application	justsystems	just_police_4	*	Yes
Application	justsystems	just_police_5	*	Yes
Application	justsystems	just_school_6	*	Yes
Application	justsystems	just_school_7	*	Yes
Application	justsystems	just_smile_6	*	Yes
Application	justsystems	just_smile_7	*	Yes
Application	justsystems	just_smile_8	*	Yes
Application	justsystems	just_smile_class_2	*	Yes
Application	justsystems	shuriken_pro_6	*	Yes
Application	justsystems	shuriken_pro_7	*	Yes
Application	justsystems	tri-de_dataprotect	*	Yes

References

https://jvn.jp/en/jp/JVN57073973/index.html Third Party Advisory ([email protected])
https://www.justsystems.com/jp/corporate/info/js22001.html Vendor Advisory ([email protected])
https://jvn.jp/en/jp/JVN57073973/index.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.justsystems.com/jp/corporate/info/js22001.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For justsystems's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.