Published:2021/07/01  Last Updated:2021/07/01

JVN#57942445
EC-CUBE fails to restrict access permissions

Overview

EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions.

Products Affected

  • EC-CUBE 4.0.6 (EC-CUBE 4 series)
According to the developer, this vulnerability is caused by a defect in the fix of JVN#95292458.

Description

EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions (CWE-284) .

Impact

A remote attacker may obtain sensitive information.

Solution

Update the Softwere
Update the software according to the information provided by the developer. 
The developer has released EC-CUBE 4.0.6-p1 that addresses the vulnerability.

Apply the Patch
Apply the hotfix patch according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
EC-CUBE CO.,LTD. Vulnerable 2021/07/01 EC-CUBE CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 7.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20778
JVN iPedia JVNDB-2021-000059