Published:2023/05/15  Last Updated:2023/05/15

JVN#41694426
Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

[CyVDB-3122]

  • Cybozu Garoon 4.10.0 to 5.9.2
[CyVDB-3142]
  • Cybozu Garoon 4.6.0 to 5.9.2
[CyVDB-3165]
  • Cybozu Garoon 5.15.0

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • [CyVDB-3122] Denial-of-service (DoS) in Message (CWE-400) - CVE-2023-26595
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L Base Score: 5.0
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:N/A:P Base Score: 4.0
  • [CyVDB-3142] Operation restriction bypass vulnerability in Message and Bulletin (CWE-285) - CVE-2023-27304
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • [CyVDB-3165] Operation restriction bypass vulnerability in MultiReport (CWE-284) - CVE-2023-27384
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0

Impact

  • [CyVDB-3122]:
    A user who can log in to the product may be able to cause a denial-of-service (DoS) condition.
  • [CyVDB-3142]:
    A user who can log in to the product may alter the data of Message and/or Bulletin.
  • [CyVDB-3165]:
    A user who can log in to the product may alter the data of MultiReport.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2023/05/15 Cybozu, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2023-27384
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2023-26595, CVE-2023-27304
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-26595
CVE-2023-27304
CVE-2023-27384
JVN iPedia JVNDB-2023-000049