Growi vulnerable to weak password requirements


GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).

418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [NVD Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 6.4 (Medium) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • GROWI versions prior to v5.00


If a user sets a weak password, an attacker may be able to access the user's account and its data via a bruteforce attack.

[Update the software]
Update the software to GROWI v5.00 (v5 series) or above according to the information provided by the developer.
The fixed version requires a user to set a longer password at the user registration.

* GROWI v5.00 or later
Vendor Information

CWE (What is CWE?)

  1. Weak Password Requirements(CWE-521) [Other]
CVE (What is CVE?)

  1. CVE-2022-1236

  1. JVN : JVNVU#96438711
  2. National Vulnerability Database (NVD) : CVE-2022-1236
  3. Related document : Weak Password Requirements in weseek/growi
Revision History

  • [2022/06/15]
      Web page was published