[Japanese]
|
JVNDB-2022-000035
|
Multiple vulnerabilities in Cybozu Garoon
|
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* [CyVDB-1584][CyVDB-2670] Operation restriction bypass vulnerability in Bulletin (CWE-285) - CVE-2022-28718
* [CyVDB-1865][CyVDB-2692] Operation restriction bypass vulnerability in Workflow (CWE-285) - CVE-2022-27661
* [CyVDB-2660] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-29892
* [CyVDB-2667] Cross-site scripting vulnerability in Scheduler (CWE-79) - CVE-2022-29513
* [CyVDB-2685] Browse restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-29471
* [CyVDB-2689] Operation restriction bypass vulnerability in Portal (CWE-285) - CVE-2022-26051
* [CyVDB-2718] Improper input validation vulnerability in Scheduler (CWE-20) - CVE-2022-28692
* [CyVDB-2839] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-27803
* [CyVDB-2841] Browse restriction bypass and operation restriction bypass vulnerability in Cabinet (CWE-285) - CVE-2022-26368
* [CyVDB-2889] Cross-site scripting vulnerability in Organization's Information (CWE-79) - CVE-2022-27627
* [CyVDB-2897] Operation restriction bypass vulnerability in Link (CWE-285) - CVE-2022-26054
* [CyVDB-2906] Improper input validation vulnerability in Link (CWE-20) - CVE-2022-27807
* [CyVDB-2932] Address information disclosure vulnerability (CWE-200) - CVE-2022-29467
* [CyVDB-2940] Improper authentication vulnerability in Scheduler (CWE-287) - CVE-2022-28713
* [CyVDB-3001] Operation restriction bypass vulnerability in Space (CWE-285) - CVE-2022-29484
* [CyVDB-2911] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-31472
CVE-2022-27627
Masato Kinugawa reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
CVE-2022-26054, CVE-2022-26368, CVE-2022-31472
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
CVE-2022-26051, CVE-2022-27661, CVE-2022-27803, CVE-2022-27807, CVE-2022-28692, CVE-2022-28713, CVE-2022-28718, CVE-2022-29467, CVE-2022-29471, CVE-2022-29484, CVE-2022-29513, CVE-2022-29892
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
|
CVSS V3 Severity: Base Metrics 5.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity: Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-28713
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-28718
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-27661
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Low
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-29892
|
CVSS V3 Severity:
Base Metrics
4.8 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29513
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29471
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-26051
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-28692
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-27803
|
CVSS V3 Severity:
Base Metrics
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-26368
|
CVSS V3 Severity:
Base Metrics
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-27627
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-26054
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Low
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-27807
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29467
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29484
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-31472
|
|
Cybozu, Inc.
- Cybozu Garoon 4.0.0 to 5.5.1 [CyVDB-1584], [CyVDB-1865], [CyVDB-2670], [CyVDB-2660], [CyVDB-2689], [CyVDB-2692], [CyVDB-2718], [CyVDB-2839], [CyVDB-2841], [CyVDB-2897], [CyVDB-2906], [CyVDB-2911]
- Cybozu Garoon 4.10.0 to 5.5.1 [CyVDB-2667], [CyVDB-2940]
- Cybozu Garoon 4.6.0 to 5.9.0 [CyVDB-2685]
- Cybozu Garoon 4.10.2 to 5.5.1 [CyVDB-2889]
- Cybozu Garoon 4.2.0 to 5.5.1 [CyVDB-2932]
- Cybozu Garoon 4.0.0 to 5.9.0 [CyVDB-3001]
|
|
* [CyVDB-1584], [CyVDB-2670]:
A user who can log in to the product may alter the data of Bulletin.
* [CyVDB-1865], [CyVDB-2692]:
A user who can log in to the product may alter the data of Workflow.
* [CyVDB-2660]:
A user who can log in to the product may repeatedly display errors in certain functions and cause a denial-of-service (DoS).
* [CyVDB-2667], [CyVDB-2889]:
An arbitrary script may be executed on a logged-in user's web browser.
* [CyVDB-2685]:
A user who can log in to the product may obtain the data of Bulletin.
* [CyVDB-2689]:
A user who can log in to the product may alter the data of Portal.
* [CyVDB-2718]:
A user who can log in to the product may alter the data of Scheduler.
* [CyVDB-2839]:
A user who can log in to the product may alter the data of Space.
* [CyVDB-2841]:
A user who can log in to the product may alter and/or obtain the data of Cabinet.
* [CyVDB-2897]:
A user who can log in to the product may alter the data of Link.
* [CyVDB-2906]:
A user who can log in to the product may make it impossible to add Categories.
* [CyVDB-2932]:
A user who can log in to the product may obtain some data of Address.
* [CyVDB-2940]:
A user may obtain some data of Facility Information without logging in to the product.
* [CyVDB-3001]:
A user who can log in to the product may delete the data of Space.
* [CyVDB-2911]:
A user who can log in to the product may obtain the data of Cabinet.
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
|
Cybozu, Inc.
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- Information Exposure(CWE-200) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
- Improper Authentication(CWE-287) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2022-26051
- CVE-2022-26054
- CVE-2022-26368
- CVE-2022-27627
- CVE-2022-27661
- CVE-2022-27803
- CVE-2022-27807
- CVE-2022-28692
- CVE-2022-28713
- CVE-2022-28718
- CVE-2022-29467
- CVE-2022-29471
- CVE-2022-29484
- CVE-2022-29513
- CVE-2022-29892
- CVE-2022-31472
|
- JVN : JVN#73897863
- National Vulnerability Database (NVD) : CVE-2022-26051
- National Vulnerability Database (NVD) : CVE-2022-26054
- National Vulnerability Database (NVD) : CVE-2022-26368
- National Vulnerability Database (NVD) : CVE-2022-27627
- National Vulnerability Database (NVD) : CVE-2022-27661
- National Vulnerability Database (NVD) : CVE-2022-27803
- National Vulnerability Database (NVD) : CVE-2022-27807
- National Vulnerability Database (NVD) : CVE-2022-28692
- National Vulnerability Database (NVD) : CVE-2022-28713
- National Vulnerability Database (NVD) : CVE-2022-28718
- National Vulnerability Database (NVD) : CVE-2022-29467
- National Vulnerability Database (NVD) : CVE-2022-29471
- National Vulnerability Database (NVD) : CVE-2022-29484
- National Vulnerability Database (NVD) : CVE-2022-29513
- National Vulnerability Database (NVD) : CVE-2022-29892
- National Vulnerability Database (NVD) : CVE-2022-31472
|
- [2022/05/16]
Web page was published
- [2022/07/04]
Overview was modified
CVSS Severity was modified
Affected Products : Product version was modified
Impact was modified
References : Content was added
- [2022/07/06]
Impact was modified
- [2024/06/17]
References : Contents were added
|