[Japanese]

JVNDB-2022-000078

bingo!CMS vulnerable to authentication bypass

Overview

bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability (CWE-288) in some of the management functions.
Shift Tech Inc. states that attacks exploiting this vulnerability have been observed.

Shift Tech Inc. reported this vulnerability to IPA to notify users of its solution through JVN.
JPCERT/CC and Shift Tech Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Shift Tech Inc.
  • bingo!CMS version 1.7.4.1 and earlier

Impact

Accessing a specific URL directly may allow a remote unauthenticated attacker to upload an arbitrary file without authentication.
As a result, an arbitrary script may be executed and/or a file may be altered.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
This vulnerability has been addressed in version 1.7.4.2.
Vendor Information

Shift Tech Inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-42458
References

  1. JVN : JVN#74592196
  2. National Vulnerability Database (NVD) : CVE-2022-42458
  3. IPA SECURITY ALERTS : Security Updates Available for bingo!CMS (JVN#74592196) (in Japanese)
  4. JPCERT : JPCERT-AT-2022-0026
Revision History

  • [2022/10/11]
      Web page was published
  • [2024/05/30]
      References : Content was added