[Japanese]

JVNDB-2017-001054

Arbitrary file upload vulnerability in GigaCC OFFICE

Overview

GigaCC OFFICE provided by WAM!NET Japan K.K. contains a vulnerability where arbitrary files may be uploaded.

WAM!NET Japan K.K. and the following people reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and WAM!NET Japan K.K. coordinated under the Information Security Early Warning Partnership.

Dongjoo Ha and Heaeun Moon of NSHC Pre., Ltd.
Masaki Yoshikawa of Recruit Technologies Co.,Ltd.
CVSS Severity (What is CVSS?)

Base Metrics: 5.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 5.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low
Affected Products


WAM!NET Japan K.K.
  • GigaCC ver.2.3 and earlier

For more information, refer to the information provided by the developer.
Impact

An arbitrary file can be uploaded as a profile image file by a user, which may be used for unauthorized file sharing.
Solution

[Apply workaround]
Apply a tentative patch according to the information provided by the developer.
The developer states that an official update will be released later.
Vendor Information

WAM!NET Japan K.K.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2016-7845
References

  1. JVN : JVNVU#91417143
Revision History

[2017/01/23]
  Web page was published