JVNVU#96438711
Growi vulnerable to weak password requirements
Overview
GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability.
Products Affected
- GROWI versions prior to v5.00
Description
GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).
Impact
If a user sets a weak password, an attacker may be able to access the user's account and its data via a bruteforce attack.
Solution
Update the software
Update the software to GROWI v5.00 (v5 series) or above according to the information provided by the developer.
The fixed version requires a user to set a longer password at the user registration.
- GROWI v5.00 or later
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| WESEEK, Inc. | Vulnerable | 2022/06/14 | WESEEK, Inc. website |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.