Published:2021/01/14  Last Updated:2021/01/14

JVN#35906450
Multiple vulnerabilities in acmailer

Overview

acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities.

Products Affected

CVE-2021-20617

  • acmailer ver. 4.0.1 and earlier
  • acmailer DB ver. 1.1.3 and earlier
CVE-2021-20618
  • acmailer ver. 4.0.2 and earlier
  • acmailer DB ver. 1.1.4 and earlier

Description

acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities listed below.

  • Improper Access Control (CWE-284) - CVE-2021-20617
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
  • Privilege Chaining (CWE-268) - CVE-2021-20618
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5

Impact

  • A remote attacker may execute an arbitrary OS command/obtain administrative privileges and as a result, sensitive information on the server may be obtained - CVE-2021-20617
  • A remote attacker may obtain administrative privileges and as a result, sensitive information on the server may be obtained - CVE-2021-20618

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been already addressed in the following versions.

  • acmailer ver. 4.0.3 or later
  • acmailer DB ver. 1.1.5 or later
Apply workarounds
Applying workarounds may mitigate the impacts of these vulnerabilities.
CVE-2021-20617
  • Delete the following file in the folder directly below the folder where the product is placed.
    • init_ctl.cgi
CVE-2021-20618
  • Delete the following file in the folder directly below the folder where the product is placed.
    • enq_detail.cgi
    • enq_detail_mail.cgi
    • enq_edit.cgi
    • enq_form.cgi
    • enq_list.cgi

Vendor Status

Vendor Status Last Update Vendor Notes
Seeds Co.,Ltd. Vulnerable 2021/01/14 Seeds Co.,Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

ma.la reported these vulnerabilities to the developer, and also to IPA in order to notify users of its solution through JVN.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20617
CVE-2021-20618
JVN iPedia JVNDB-2021-000004