Published:2020/12/15 Last Updated:2020/12/15
JVN#94169589
Multiple vulnerabilities in GROWI
Overview
GROWI contains multiple vulnerabilities.
Products Affected
- GROWI versions prior to v4.2.3 (v4.2 Series)
- GROWI versions prior to v4.1.12 (v4.1 Series)
- GROWI v3 series and earlier
Description
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
- Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score: 5.3 CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P Base Score: 5.0 - Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
Impact
- A remote attacker may be able to cause a denial-of-service (DoS) condition. - CVE-2020-5682
- When a specially crafted file is uploaded, data in the product may be altered. - CVE-2020-5683
Solution
Update the Software
Update to the appropriate version according to the information provided by the developer.
The developer recommends users to upgrade the product to v4.2 series because v3 series and earlier are End-of-Support and no patches available.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
These vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.
CVE-2020-5682
Norihide Saito of Information Science College / Flatt Security inc.
CVE-2020-5683
Daisuke Takahashi of CyberAgent, Inc.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-5682 |
|
CVE-2020-5683 |
|
| JVN iPedia |
JVNDB-2020-000085 |