[Japanese]

JVNDB-2022-001087

GROWI vulnerable to authorization bypass through user-controlled key

Overview

GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852).

huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.3 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


WESEEK, Inc.
  • GROWI v4.4.7 and earlier

Impact

An unauthenticated remote attacker may bypass the authorization and delete an arbitrary user's comment.
Solution

[Update the software]
Update the software to the version listed below which contains the fix for this vulnerability.

* GROWI v4.4.8 and later

Vendor Information

WESEEK, Inc.
CWE (What is CWE?)

  1. Authorization Bypass Through User-Controlled Key(CWE-639) [Other]
CVE (What is CVE?)

  1. CVE-2021-3852
References

  1. JVN : JVNVU#94151526
  2. National Vulnerability Database (NVD) : CVE-2021-3852
  3. Related document : Authorization Bypass Through User-Controlled Key in weseek/growi
  4. Related document : VDB-190179 (GROWI AUTHORIZATION)
Revision History

  • [2022/01/24]
      Web page was published

Date Public2022/01/21
Date First Published2022/01/24
Date Last Updated2022/01/24