[Japanese]

JVNDB-2020-000085

Multiple vulnerabilities in GROWI

Overview

GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682
* Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683

These vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.
CVE-2020-5682
Norihide Saito of Information Science College / Flatt Security inc.
CVE-2020-5683
Daisuke Takahashi of CyberAgent, Inc.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5682


CVSS V3 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5683
Affected Products


WESEEK, Inc.
  • GROWI versions prior to v4.2.3 (v4.2 Series)
  • GROWI versions prior to v4.1.12 (v4.1 Series)
  • GROWI v3 series and earlier

Impact

* A remote attacker may be able to cause a denial-of-service (DoS) condition. - CVE-2020-5682
* When a specially crafted file is uploaded, data in the product may be altered. - CVE-2020-5683
Solution

[Update the Software]
Update to the appropriate version according to the information provided by the developer.

The developer recommends users to upgrade the product to v4.2 series because v3 series and earlier are End-of-Support and no patches available.
Vendor Information

WESEEK, Inc.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5682
  2. CVE-2020-5683
References

  1. JVN : JVN#94169589
Revision History

  • [2020/12/15]
      Web page was published