Published:2023/08/07  Last Updated:2023/08/07

JVN#83334799
Multiple vulnerabilities in Special Interest Group Network for Analysis and Liaison's API

Overview

Special Interest Group Network for Analysis and Liaison's API provided by Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) contains multiple vulnerabilities.

Products Affected

  • Special Interest Group Network for Analysis and Liaison versions 4.4.0 to 4.7.7

Description

Special Interest Group Network for Analysis and Liaison's "Inter-SOC Cooperation API" provided by Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) contains multiple vulnerabilities listed below.

  • Improper Authorization in Information Provision function (CWE-285) - CVE-2023-38751
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Base Score: 3.5
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • Improper Authorization in Information Provision and Group Message functions (CWE-285) - CVE-2023-38752
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N Base Score: 3.5
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0

Impact

  • Organization information of the information receiver that is set as "non-disclosure" in the information provision operation may be viewed by an authorized API user - CVE-2023-38751
  • Attribute information of the poster that is set as"non-disclosure" in the system settings may be viewed by an authorized API user - CVE-2023-38752

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
For more information, contact the developer.

Apply the workaround
If the patch cannot be applied, applying the following workaround may mitigate the impacts of these vulnerabilities.

  • Configure to stop using the API

Vendor Status

Vendor Status Last Update Vendor Notes
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) Vulnerable 2023/08/07 Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

yusuke negishi of JPCERT/CC Platform Service Group reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-38751
CVE-2023-38752
JVN iPedia JVNDB-2023-000079

Update History

2023/08/07
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) update status