JVNDB-2015-000174

Multiple TYPE-MOON games vulnerable to OS command injection



Multiple games provided by TYPE-MOON contain an OS command injection vulnerability (CWE-78) due to an issue in loading save data.



KUSANO Kazuhiko reported this vulnerability to IPA.

JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



CVSS V2 Severity:

Base Metrics 6.8 (Medium) [IPA Score] Access Vector: Network

Access Complexity: Medium

Authentication: None

Confidentiality Impact: Partial

Integrity Impact: Partial

Availability Impact: Partial







TYPE-MOON / Notes Co.,Ltd. Fate/hollow ataraxia

Fate/stay night (CD, DVD)

Fate/stay night + hollow ataraxia set

Witch on the Holy Night







When specially crafted save data is loaded, an arbitrary OS command may be executed.



[Apply a Workaround]

The following workaround can mitigate the affects of this vulnerability.

* Do not load save data provided by an untrusted source.



JVN : JVN#80144272 National Vulnerability Database (NVD) : CVE-2015-5672