[Japanese]

JVNDB-2019-000076

Multiple vulnerabilities in Cybozu Office

Overview

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* Directory traversal in the "Customapp" function (CWE-22) - CVE-2019-6022

* Browse restriction bypass in the application "Address" (CWE-284) - CVE-2019-6023

Two vulnerabilities were reported by the following persons to Cybozu, Inc. directly, and Cybozu Inc. reported the vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

CVE-2019-6022 by Shoji Baba
CVE-2019-6023 by Tanghaifeng
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.7 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-6022

CVSS V3 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.0 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-6023
Affected Products


Cybozu, Inc.
  • Cybozu Office 10.0.0 to 10.8.3

Impact

* A user who can use "Customapp" function may alter arbitrary files on the server - CVE-2019-6022
* A user who can login to the product may obtain data without access privileges - CVE-2019-6023
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
  2. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-6022
  2. CVE-2019-6023
References

  1. JVN : JVN#79854355
  2. National Vulnerability Database (NVD) : CVE-2019-6022
  3. National Vulnerability Database (NVD) : CVE-2019-6023
Revision History

  • [2019/12/17]
      Web page was published

Date Public2019/12/17
Date First Published2019/12/17
Date Last Updated2019/12/17