Information from GROWI, Inc.
Vulnerability ID:JVN#46373837
Title:Missing authorization in the OpenAI thread/message API endpoints of GROWI
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
### Summary
- GROWI is developed by WESEEK, Inc.
- GROWI contains a vulnerability in the OpenAI thread/message API endpoints.
### Affected Products
- Product: GROWI
- Affected versions: All versions prior to v7.4.5
### Description
- GROWI releases prior to v7.4.5 contain an IDOR (Insecure Direct Object Reference) vulnerability in the OpenAI thread/message API endpoints.
- The API endpoints lack proper ownership verification when accessing thread relations.
- This allows authenticated users to access, post to, edit, and delete other users' AI assistant threads and messages.
- CWE-862: Missing Authorization
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L Base Score 8.3
### Impact
An authenticated user who knows a shared AI assistant's identifier can:
- Retrieve other users' thread lists
- View their messages
- Post messages to their threads
- Edit their messages
- Delete their threads
### Solution
- Please upgrade your GROWI to v7.4.6 or later.
### Where to get the updated version
- [GitHub](https://github.com/weseek/growi)
- [Docker Hub](https://hub.docker.com/r/weseek/growi/)
