Mis-configuration of Apache Velocity template engine used to send emails in GigaCC OFFICE


GigaCC OFFICE provided by WAM!NET Japan K.K. contains mis-configuration of Apache Velocity template engine which is used to send emails.

WAM!NET Japan K.K. and the following people reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and WAM!NET Japan K.K. coordinated under the Information Security Early Warning Partnership.

Dongjoo Ha and Heaeun Moon of NSHC Pre., Ltd.
Masaki Yoshikawa of Recruit Technologies Co.,Ltd.
CVSS Severity (What is CVSS?)

Base Metrics: 6.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 5.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
Affected Products

WAM!NET Japan K.K.
  • GigaCC ver.2.3 and earlier

For more information, refer to the information provided by the developer.

Sending emails using a specially crafted mail template may result in an arbitrary OS command executed on the server.

[Update to the latest version and then apply a patch]
Update to GigaCC OFFICE ver.2.3 and then apply an appropriate patch according to the information provided by the developer.
Vendor Information

Apache Software Foundation WAM!NET Japan K.K.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2016-7844

  1. JVN : JVNVU#91417143
Revision History

  Web page was published