Published:2021/03/08  Last Updated:2021/03/08

JVNVU#94889258
Multiple vulnerabilities in GROWI

Overview

GROWI contains multiple vulnerabilities.

Products Affected

  • GROWI versions v4.2.2 and earlier

Description

GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.

  • Stored Cross-site Scripting (CWE-79) - CVE-2021-20667
    CVSS v3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Base Score: 3.7
  • Path Traversal (CWE-22) - CVE-2021-20668
    CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N Base Score: 3.0
  • Path Traversal (CWE-22) - CVE-2021-20669
    CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H Base Score: 6.2
  • Improper Access Control (CWE-284) - CVE-2021-20670
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Base Score: 5.8
  • Improper Input Validation (CWE-20) - CVE-2021-20671
    CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Base Score: 7.6

Impact

  • Inadequate CSP (Content Security Policy) configuration allows a remote attacker to execute an arbitrary script on the web browser of the user who accesses an attached file containing a specially crafted content - CVE-2021-20667
  • An arbitrary path can be read if a remote attacker with administrative privilege accesses the affected product via a specially crafted URL - CVE-2021-20668
  • An arbitrary path can be read and/or deleted if a remote attacker with administrative privilege sends a specially crafted request - CVE-2021-20669
  • Improper access control of files allows an unauthenticated remote attacker to read the user's personal information and/or server's internal information - CVE-2021-20670
  • Invalid file validation on the upload feature allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution - CVE-2021-20671

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities were fixed in the following software version.

  • GROWI v4.2.3

Vendor Status

Vendor Status Last Update Vendor Notes
WESEEK, Inc. Vulnerable 2021/03/08 WESEEK, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

stypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20667
CVE-2021-20668
CVE-2021-20669
CVE-2021-20670
CVE-2021-20671
JVN iPedia