Published:2024/05/13  Last Updated:2024/05/13

JVN#28869536
Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

CVE-2024-31397, CVE-2024-31398, CVE-2024-31399, CVE-2024-31401, CVE-2024-31402

  • Cybozu Garoon 5.0.0 to 5.15.2
CVE-2024-31400
  • Cybozu Garoon 5.0.0 to 5.15.0
CVE-2024-31403
  • Cybozu Garoon 5.0.0 to 6.0.0
CVE-2024-31404
  • Cybozu Garoon 5.5.0 to 6.0.0

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • Improper handling of data in Mail (CWE-231)
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Base Score 4.9
    • CVE-2024-31397
    • CyVDB-3167
  • Improper restriction on the output of some API (CWE-201)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 4.3
    • CVE-2024-31398
    • CyVDB-3221
  • Excessive resource consumption in Mail (CWE-1050)
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score 4.3
    • CVE-2024-31399
    • CyVDB-3238
  • Cross-site scripting vulnerability in Scheduler (CWE-79)
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N Base Score 6.9
    • CVE-2024-31401
    • CyVDB-3439
  • Improper restriction on some operation in Shared To-Dos (CWE-863)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score 4.3
    • CVE-2024-31402
    • CyVDB-3441
  • Information disclosure in Mail (CWE-201)
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Base Score 4.3
    • CVE-2024-31400
    • CyVDB-3402
  • Improper restriction on browsing and operation in Memo (CWE-863)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score 5.4
    • CVE-2024-31403
    • CyVDB-3151
  • Browse restriction bypass in Scheduler (CWE-201)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 4.3
    • CVE-2024-31404
    • CyVDB-3471

Impact

  • A user who can log in to the product with the administrative privilege may be able to cause a denial-of-service (DoS) condition (CVE-2024-31397)
  • A user who can log in to the product may obtain information on the list of users (CVE-2024-31398)
  • Processing a crafted mail may cause a denial-of-service (DoS) condition (CVE-2024-31399)
  • An arbitrary script may be executed on a logged-in user's web browser (CVE-2024-31401)
  • A user who can log in to the product may delete the data of Shared To-Dos (CVE-2024-31402)
  • Unintended data may be left included to fowarded mail (CVE-2024-31400)
  • A user who can log in to the product may alter and/or obtain the data of Memo (CVE-2024-31403)
  • A user who can log in to the product may view the data of Scheduler (CVE-2024-31404)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2024/05/13 Cybozu, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2024-31401
@bttthuan reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2024-31403
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2024-31397, CVE-2024-31398, CVE-2024-31399, CVE-2024-31400, CVE-2024-31402, CVE-2024-31404
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-31397
CVE-2024-31398
CVE-2024-31399
CVE-2024-31400
CVE-2024-31401
CVE-2024-31402
CVE-2024-31403
CVE-2024-31404
JVN iPedia JVNDB-2024-000047

Update History

2024/05/13
Information under the section [Other Information] was modified.