[Japanese]

JVNDB-2018-000130

Cybozu Garoon access restriction bypass vulnerability

Overview

Single sign-on function of Cybozu Garoon provided by Cybozu, Inc. contains a restriction bypass vulnerability (CWE-284).

Kanta Nishitani reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Cybozu, Inc.
  • Cybozu Garoon 3.0.0 to 4.10.0

Impact

An attacker who can access the product may bypass authentication of Single sign-on function and view the information which is available only for sign-on users.
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2018-16178
References

  1. JVN : JVN#25385698
Revision History

  • [2018/12/10]
      Web page was published