[Japanese]

JVNDB-2022-001953

Growi vulnerable to weak password requirements

Overview

GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).

418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [NVD Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 6.4 (Medium) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


WESEEK, Inc.
  • GROWI versions prior to v5.00

Impact

If a user sets a weak password, an attacker may be able to access the user's account and its data via a bruteforce attack.
Solution

[Update the software]
Update the software to GROWI v5.00 (v5 series) or above according to the information provided by the developer.
The fixed version requires a user to set a longer password at the user registration.

* GROWI v5.00 or later
Vendor Information

WESEEK, Inc.
CWE (What is CWE?)

  1. Weak Password Requirements(CWE-521) [Other]
CVE (What is CVE?)

  1. CVE-2022-1236
References

  1. JVN : JVNVU#96438711
  2. National Vulnerability Database (NVD) : CVE-2022-1236
  3. Related document : Weak Password Requirements in weseek/growi
Revision History

  • [2022/06/15]
      Web page was published

Date Public2022/06/14
Date First Published2022/06/15
Date Last Updated2022/06/15