Published: 2022/01/21  Last Updated: 2022/01/21

Information from WESEEK, Inc.

Vulnerability ID:JVNVU#94151526
Title:GROWI vulnerable to authorization bypass through user-controlled key
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

[Summary]
GROWI is developed by WESEEK, Inc.
GROWI releases prior to v3.2.3 contain a bug that causes risks of authentication bypass.

[Affected Products]
This bug affects GROWI releases prior to v4.4.8

[Description]
GROWI releases prior to v4.4.8 contain bugs of authentication bypass.

[Impact]
An attacker can bypass authentication and delete any other users' comments.

[Solution]
Please upgrade your GROWI to v4.4.8 or later.

Where to get the updated version

[GitHub](https://github.com/weseek/growi)
[Docker Hub](https://hub.docker.com/r/weseek/growi/)