[Japanese]
|
JVNDB-2022-000051
|
Multiple vulnerabilities in Cybozu Garoon
|
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* [CyVDB-2909] Operation restriction bypass in multiple applications (CWE-285) - CVE-2022-30602
* [CyVDB-3042] Information disclosure in multiple applications (CWE-200) - CVE-2022-29512
* [CyVDB-3111] Improper input validation in multiple applications (CWE-20) - CVE-2022-29926
* [CyVDB-3143] Browsing restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-30943
CVE-2022-30602
Shuichi Uruma reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
CVE-2022-30943
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
CVE-2022-29512
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
[Updated on 2022 July 6]
The developer identified that [CyVDB-3111] was not a vulnerability after the further investigation.
Therefore the JVN advisory was updated by crossing out the description regarding [CyVDB-3111].
|
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 5.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-30602
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29512
|
CVSS V3 Severity:
Base Metrics
7.1 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
5.5 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-29926
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-30943
|
|
Cybozu, Inc.
- Cybozu Garoon 4.0.0 to 5.9.1
|
|
* [CyVDB-2909]:
A user who can log in to the product may alter the file information and/or delete the files.
* [CyVDB-3042]:
A user who can log in to the product may obtain the data without the viewing privilege.
* [CyVDB-3111]:
A user who can log in to the product may cause a denial-of-service (DoS) condition.
* [CyVDB-3143]:
A user who can log in to the product may obtain the data of Bulletin.
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
|
Cybozu, Inc.
|
- Information Exposure(CWE-200) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
|
- CVE-2022-30602
- CVE-2022-29512
- CVE-2022-29926
- CVE-2022-30943
|
- JVN : JVN#14077132
- National Vulnerability Database (NVD) : CVE-2022-30602
- National Vulnerability Database (NVD) : CVE-2022-29512
- National Vulnerability Database (NVD) : CVE-2022-29926
- National Vulnerability Database (NVD) : CVE-2022-30943
|
- [2022/07/04]
Web page was published
- [2022/07/06]
Overview was modified
CVSS Severity was modified
Impact was modified
CWE was modified
- [2024/06/17]
References : Contents were added
|