Overview: Multiple vulnerabilities in JustSystems products. Products Affected: - Ichitaro series - Rakuraku Hagaki series - JUST Office series - JUST Government series - JUST Police series Description: - Use after free (CWE-416): CVE-2023-34366 (Base Score: 3.3 for CVSS v3, 1.9 for CVSS v2) - Integer overflow (CWE-190): CVE-2023-38127 (Base Score: 3.3 for CVSS v3, 1.9 for CVSS v2) - Access of resource using incompatible type (Type confusion) (CWE-843): CVE-2023-38128 (Base Score: 3.3 for CVSS v3, 1.9 for CVSS v2) - Improper validation of array index (CWE-129): CVE-2023-35126 (Base Score: 3.3 for CVSS v3, 1.9 for CVSS v2) Impact: Processing a specially crafted file may lead to the product's abnormal termination. Solution: Apply the patch according to the information provided by the developer. Vendor Status: JustSystems Corporation - [For Safe Use of JustSystems Products (Text in Japanese)]() References: None JPCERT/CC Addendum: Reporter states arbitrary code execution is possible; developer states impact is abnormal termination only. Vulnerability Analysis by JPCERT/CC: None Credit: Cisco Talos Security Intelligence & Research Group discovered and reported the vulnerabilities. Other Information: Tracked by JVNDB-2023-000102