Published:2022/07/04  Last Updated:2022/07/06

JVN#14077132
Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

  • Cybozu Garoon 4.0.0 to 5.9.1

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • [CyVDB-2909] Operation restriction bypass in multiple applications (CWE-285) - CVE-2022-30602
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base Score: 5.4
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:P Base Score: 5.5
  • [CyVDB-3042] Information disclosure in multiple applications (CWE-200) - CVE-2022-29512
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • [CyVDB-3111] Improper input validation in multiple applications (CWE-20) - CVE-2022-29926
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Base Score: 7.1
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:P Base Score: 5.5
  • [CyVDB-3143] Browsing restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-30943
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0

Impact

  • [CyVDB-2909]:
    A user who can log in to the product may alter the file information and/or delete the files.
  • [CyVDB-3042]:
    A user who can log in to the product may obtain the data without the viewing privilege.
  • [CyVDB-3111]:
    A user who can log in to the product may cause a denial-of-service (DoS) condition.
  • [CyVDB-3143]:
    A user who can log in to the product may obtain the data of Bulletin.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2022/07/06 Cybozu, Inc. website

References

JPCERT/CC Addendum

【Updated on 2022 July 6】
The developer identified that [CyVDB-3111] was not a vulnerability after the further investigation.
Therefore the JVN advisory was updated by crossing out the description regarding [CyVDB-3111].

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2022-30602
Shuichi Uruma reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-30943
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-29512
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-29512
CVE-2022-29926
CVE-2022-30602
CVE-2022-30943
JVN iPedia JVNDB-2022-000051

Update History

2022/07/06
Information under [JPCERT/CC Addendum] was added.
2022/07/06
Cybozu, Inc. update status