JVN#14077132: Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

Cybozu Garoon 4.0.0 to 5.9.1

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

[CyVDB-2909] Operation restriction bypass in multiple applications (CWE-285) - CVE-2022-30602

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base Score: 5.4

CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:P Base Score: 5.5
[CyVDB-3042] Information disclosure in multiple applications (CWE-200) - CVE-2022-29512

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3

CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
[CyVDB-3111] Improper input validation in multiple applications (CWE-20) - CVE-2022-29926

~~CVSS v3~~ ~~CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H~~ ~~Base Score: 7.1~~

~~CVSS v2~~ ~~AV:N/AC:L/Au:S/C:N/I:P/A:P~~ ~~Base Score: 5.5~~
[CyVDB-3143] Browsing restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-30943

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3

CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0

Impact

[CyVDB-2909]:
A user who can log in to the product may alter the file information and/or delete the files.
[CyVDB-3042]:
A user who can log in to the product may obtain the data without the viewing privilege.
[CyVDB-3111]:
A user who can log in to the product may cause a denial-of-service (DoS) condition.
[CyVDB-3143]:
A user who can log in to the product may obtain the data of Bulletin.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
Cybozu, Inc.	Vulnerable	2022/07/06	Cybozu, Inc. website

References

JPCERT/CC Addendum

【Updated on 2022 July 6】
The developer identified that [CyVDB-3111] was not a vulnerability after the further investigation.
Therefore the JVN advisory was updated by crossing out the description regarding [CyVDB-3111].

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2022-30602
Shuichi Uruma reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-30943
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-29512
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2022-29512
	CVE-2022-29926
	CVE-2022-30602
	CVE-2022-30943
JVN iPedia	JVNDB-2022-000051

Update History

2022/07/06: Information under [JPCERT/CC Addendum] was added.
2022/07/06: Cybozu, Inc. update status

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	Base Score: 5.4
CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:P	Base Score: 5.5

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

~~CVSS v3~~	~~CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H~~	~~Base Score: 7.1~~
~~CVSS v2~~	~~AV:N/AC:L/Au:S/C:N/I:P/A:P~~	~~Base Score: 5.5~~

JVN#14077132 Multiple vulnerabilities in Cybozu Garoon