JVN#83334799
Multiple vulnerabilities in Special Interest Group Network for Analysis and Liaison's API

Overview

Special Interest Group Network for Analysis and Liaison's API provided by Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) contains multiple vulnerabilities.

Products Affected

• Special Interest Group Network for Analysis and Liaison versions 4.4.0 to 4.7.7

Description

Special Interest Group Network for Analysis and Liaison's "Inter-SOC Cooperation API" provided by Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) contains multiple vulnerabilities listed below.

• Improper Authorization in Information Provision function (CWE-285) - CVE-2023-38751

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N	Base Score: 3.5
  CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

• Improper Authorization in Information Provision and Group Message functions (CWE-285) - CVE-2023-38752

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N	Base Score: 3.5
  CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

Impact

• Organization information of the information receiver that is set as "non-disclosure" in the information provision operation may be viewed by an authorized API user - CVE-2023-38751
• Attribute information of the poster that is set as"non-disclosure" in the system settings may be viewed by an authorized API user - CVE-2023-38752

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
For more information, contact the developer.

Apply the workaround
If the patch cannot be applied, applying the following workaround may mitigate the impacts of these vulnerabilities.

• Configure to stop using the API