Information from GROWI, Inc.
Vulnerability ID:JVN#38788367
Title:GROWI vulnerable to path traversal
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
Summary
GROWI is developed by GROWI, Inc.
A vulnerability related to path traversal attacks has been identified in the GROWI system provided by our company.
Affected Products
Product: GROWI
Affected versions: All versions prior to v7.5.0
Description
A path traversal vulnerability exists in GROWI.
By manipulating the EJS template loading path, it is possible to execute a malicious template uploaded by an attacker.
CWE-22(Path Traversal)
CWE-94(Code Injection)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Base Score 8.0
Impact
The following conditions are required for this attack to succeed:
Mail server is configured
(If via password reset) Password reset is enabled Administrator session
In an environment where an attacker with an administrator session meets the above prerequisites, theft of sensitive files on the server (configuration files, private keys, etc.) becomes possible. Furthermore, if local file upload is enabled, combining this with a malicious EJS file could lead to arbitrary OS command execution on the server, backdoor installation, and service disruption.
Solution
Please upgrade your GROWI to v7.5.1 or later.
Where to get the updated version
GitHub
Docker Hub
