Published:2020/03/02  Last Updated:2020/03/02

JVN#73472345
GRANDIT vulnerable to session management

Overview

GRANDIT contains a vulnerability in session management.

Products Affected

  • GRANDIT Ver.1.6
  • GRANDIT Ver.2.0
  • GRANDIT Ver.2.1
  • GRANDIT Ver.2.2
  • GRANDIT Ver.2.3
  • GRANDIT Ver.3.0

Description

GRANDIT provided by GRANDIT CORPORATION contains a vulnerability in session management (CWE-639).

Impact

A user who can access to the product may impersonate an arbitrary user. As a result, information may be altered or disclosed.

Solution

Apply the Patch
Apply the appropriate patch according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
GRANDIT CORPORATION Vulnerable 2020/03/02 GRANDIT CORPORATION website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Base Score: 4.2
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Kazuki Mitobe of FUJISOFT INCORPORATED reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5539
JVN iPedia JVNDB-2020-000019