Mis-configuration of Apache Velocity template engine used to send emails in GigaCC OFFICE


GigaCC OFFICE provided by WAM!NET Japan K.K. contains mis-configuration of Apache Velocity template engine which is used to send emails.

WAM!NET Japan K.K. and the following people reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and WAM!NET Japan K.K. coordinated under the Information Security Early Warning Partnership.

Dongjoo Ha and Heaeun Moon of NSHC Pre., Ltd.
Masaki Yoshikawa of Recruit Technologies Co.,Ltd.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.5 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

WAM!NET Japan K.K.
  • GigaCC OFFICE ver.2.3 and earlier

For more information, refer to the information provided by the developer.

Sending emails using a specially crafted mail template may result in an arbitrary OS command executed on the server.

[Update to the latest version and then apply a patch]
Update to GigaCC OFFICE ver.2.3 and then apply an appropriate patch according to the information provided by the developer.
Vendor Information

Apache Software Foundation WAM!NET Japan K.K.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2016-7844

  1. JVN : JVNVU#91417143
  2. National Vulnerability Database (NVD) : CVE-2016-7844
Revision History

  • [2017/01/23]
      Web page was published
  • [2018/02/28]
      References : Content was added