Published:2023/08/18 Last Updated:2023/08/18
JVN#19661362
Multiple vulnerabilities in Proself
Critical
Overview
Proself provided by North Grid Corporation contains multiple vulnerabilities.
Products Affected
- Proself Enterprise/Standard Edition Ver5.61 and earlier
- Proself Gateway Edition Ver1.62 and earlier
- Proself Mail Sanitize Edition Ver1.07 and earlier
Description
Proself provided by North Grid Corporation is an online storage server software. Proself contains multiple vulnerabilities listed below.
- Improper authentication (CWE-287) - CVE-2023-39415
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5 CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0 - OS command injection (CWE-78) - CVE-2023-39416
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 7.2 CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
Impact
- A remote unauthenticated attacker may log in to the product's Control Panel and perform an unintended operation - CVE-2023-39415
- An arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege - CVE-2023-39416
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Apply the workaround
Until the software is updated, the following workaround are recommended to mitigate the impact of the vulnerabilities.
- Delete the following two files under "Proself install folder/webapps/proself/WEB-INF/xml/process/external/admin"
- downloadhistory.xml
- setclustermyid.xml
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
North Grid Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and North Grid Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
JPCERT-AT-2023-0014 Alert Regarding Authentication Bypass and Remote Code Execution vulnerabilities in Proself (Text in Japanese) |
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2023-39415 |
CVE-2023-39416 |
|
JVN iPedia |
JVNDB-2023-000078 |