[Japanese]

JVNDB-2021-000050

Multiple vulnerabilities in GROWI

Overview

GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
*NoSQL injection (CWE-943) - CVE-2021-20736
*Improper authentication (CWE-287) - CVE-2021-20737
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20736

CVSS V3 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.0 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20737
Affected Products


WESEEK, Inc.
  • GROWI prior to v4.2.20

Impact

The expected impact depends on each vulnerability, but it may be affected as follows.
*A user who can access the product may obtain and/or alter the information stored in the database - CVE-2021-20736
*A user who can login to the product may view the unauthorized pages without access privileges - CVE-2021-20737
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the fixed version v4.2.20.


The developer recommends users to upgrade the software to v4.2 series because v3 series and earlier are no longer supported (End-of-Support), thus no updates/patches are provided for those series.
Vendor Information

WESEEK, Inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20736
  2. CVE-2021-20737
References

  1. JVN : JVN#95457785
  2. National Vulnerability Database (NVD) : CVE-2021-20736
  3. National Vulnerability Database (NVD) : CVE-2021-20737
Revision History

  • [2021/06/14]
      Web page was published

Date Public2021/06/14
Date First Published2021/06/14
Date Last Updated2021/06/14