[Japanese]
|
JVNDB-2021-000004
|
Multiple vulnerabilities in acmailer
|
acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities listed below.
*Improper Access Control (CWE-284) - CVE-2021-20617
*Privilege Chaining (CWE-268) - CVE-2021-20618
ma.la reported these vulnerabilities to the developer, and also to IPA in order to notify users of its solution through JVN.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20617
|
CVSS V3 Severity:
Base Metrics:
9.8 (Critical) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
7.5 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20618
|
|
Seeds Co.,Ltd.
- acmailer ver. 4.0.1 and earlier(CVE-2021-20617)
- acmailer ver. 4.0.2 and earlier(CVE-2021-20618)
- acmailer DB ver. 1.1.3 and earlier(CVE-2021-20617)
- acmailer DB ver. 1.1.4 and earlier(CVE-2021-20618)
|
|
*A remote attacker may execute an arbitrary OS command/obtain administrative privileges and as a result, sensitive information on the server may be obtained - CVE-2021-20617
*A remote attacker may obtain administrative privileges and as a result, sensitive information on the server may be obtained - CVE-2021-20618
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been already addressed in the following versions.
- acmailer ver. 4.0.3 or later
- acmailer DB ver. 1.1.5 or later
[Apply workarounds]
Applying workarounds may mitigate the impacts of these vulnerabilities.
CVE-2021-20617
- Delete the following file in the folder directly below the folder where the product is placed.
CVE-2021-20618
- Delete the following file in the folder directly below the folder where the product is placed.
- enq_detail.cgi
- enq_detail_mail.cgi
- enq_edit.cgi
- enq_form.cgi
- enq_list.cgi
|
Seeds Co.,Ltd.
|
- Permissions(CWE-264) [IPA Evaluation]
|
- CVE-2021-20617
- CVE-2021-20618
|
- JVN : JVN#35906450
- National Vulnerability Database (NVD) : CVE-2021-20617
- National Vulnerability Database (NVD) : CVE-2021-20618
|
- [2021/01/14]
Web page was published
|