Information from GROWI, Inc.
Vulnerability ID:JVN#46728373
Title:GROWI vulnerable to Regular expression Denial-of-Service (ReDoS)
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
- GROWI is developed by WESEEK, Inc.
- GROWI contains a vulnerability in the User-Agent parsing process.
[Affected Products]
- All GROWI versions v7.5.0 and earlier are affected.
[Description]
- GROWI releases prior to v7.5.1 contain an unauthenticated ReDoS (regular expression-based denial-of-service) vulnerability in the UserAgent parsing process
- The User-Agent parsing process fails to enforce a length limit on input values, making it possible to deplete the server's CPU resources by sending a specially crafted long string.
- CWE-1333(Inefficient Regular Expression Complexity)
- CWE-400(Uncontrolled Resource Consumption)
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score 7.5
[Impact]
An attacker can potentially use a ReDoS attack to exhaust server resources or cause a denial-of-service (DoS) state.
- It saturates the server's CPU resources, causing the entire service to become unresponsive.
- It causes significant delays (timeouts) in requests from other users accessing the system simultaneously.
[Solution]
- Please upgrade your GROWI to v7.5.1 or later.
### Where to get the updated version
- [GitHub](https://github.com/growilabs/growi)
- [Docker Hub](https://hub.docker.com/r/growilabs/growi)
