[Japanese]

JVNDB-2022-000051

Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

* [CyVDB-2909] Operation restriction bypass in multiple applications (CWE-285) - CVE-2022-30602
* [CyVDB-3042] Information disclosure in multiple applications (CWE-200) - CVE-2022-29512
* [CyVDB-3111] Improper input validation in multiple applications (CWE-20) - CVE-2022-29926
* [CyVDB-3143] Browsing restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-30943

CVE-2022-30602
Shuichi Uruma reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-30943
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-29512
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

[Updated on 2022 July 6]
The developer identified that [CyVDB-3111] was not a vulnerability after the further investigation.
Therefore the JVN advisory was updated by crossing out the description regarding [CyVDB-3111].
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-30602

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-29512

CVSS V3 Severity:
Base Metrics 7.1 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-29926

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-30943
Affected Products


Cybozu, Inc.
  • Cybozu Garoon 4.0.0 to 5.9.1

Impact

* [CyVDB-2909]:
A user who can log in to the product may alter the file information and/or delete the files.
* [CyVDB-3042]:
A user who can log in to the product may obtain the data without the viewing privilege.
* [CyVDB-3111]:
A user who can log in to the product may cause a denial-of-service (DoS) condition.
* [CyVDB-3143]:
A user who can log in to the product may obtain the data of Bulletin.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
  2. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-30602
  2. CVE-2022-29512
  3. CVE-2022-29926
  4. CVE-2022-30943
References

  1. JVN : JVN#14077132
Revision History

  • [2022/07/04]
      Web page was published
  • [2022/07/06]
      Overview was modified
      CVSS Severity was modified
      Impact was modified
      CWE was modified

Date Public2022/07/04
Date First Published2022/07/04
Date Last Updated2022/07/06