P4rkJW 프로필 사진

by P4rkJW

We Got CVE-2019-13157 and CVE-2020-9751

게시글 대표 이미지

we reported a non-ActiveX vulnerability in a program which earned them the Bug Bounty citation from the Financial Security Institute.

As security researchers, our job is to find vulnerabilities in software before attackers can exploit them. Recently, we discovered two major vulnerabilities in popular software that earned us CVE IDs - CVE-2019-13157 and CVE-2020-9751.

What are CVEs?

CVE stands for Common Vulnerabilities and Exposures. It is a dictionary of publicly known information security vulnerabilities and exposures that are assigned unique identifiers. When a vulnerability is assigned a CVE ID, it helps security professionals and vendors to easily identify the specific vulnerability.

CVE-2019-13157

The first vulnerability we found was related to Naver Vaccine 2.1.4. This particular vulnerability allowed remote attackers to overwrite arbitrary files via directory traversal sequences in a filename within an nsz archive.

We immediately reported this vulnerability to NAVER Corporation and worked closely with them until a patch was released. NAVER Corporation acknowledged our efforts by assigning us with the CVE-2019-13157.

CVE-2020-9751

The second vulnerability we found was related to Naver Cloud Explorer before version 2.2.2.11. This particular vulnerability allowed the system to download an arbitrary file from the attacker's server and execute it during an upgrade process.

Again, we immediately reported this vulnerability to NAVER Corporation and worked closely with them until a patch was released. NAVER Corporation acknowledged our efforts by assigning us with the CVE-2020-9751.

Conclusion

As security researchers, finding vulnerabilities in software is not only our job but also our responsibility towards making technology safer for everyone. By discovering these two critical vulnerabilities and working with vendors to release patches, we helped prevent potential attacks that could have led to severe consequences for individuals or organizations using these products.

You can check the CVE we found at the link below.

This has been P4rkJW. Thank you.