Published:2014/07/15 Last Updated:2014/07/15
JVN#42024228
Cybozu Garoon CGI vulnerable to remote command execution
Overview
Cybozu Garoon CGI contains a remote command execution vulnerability.
Products Affected
- Cybozu Garoon 3.1.0 to 3.7 Service Pack 3
Description
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon CGI contains a remote command execution vulnerability.
Impact
An arbitrary command may be executed on the server where Cybozu Garoon resides.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Vulnerable | 2014/07/15 | Cybozu, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.07.15 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | Specialized access conditions or extenuating circumstances do not exist. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is total information disclosure, resulting in all system files being revealed. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is a total shutdown of the affected resource. |
Base Score:10.0
Credit
Masaaki Chida of GREE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-1987 |
| JVN iPedia |
JVNDB-2014-000073 |