Published:2022/02/22  Last Updated:2022/02/22

JVN#53871926
EC-CUBE improperly handles HTTP Host header values

Overview

EC-CUBE provided by EC-CUBE CO.,LTD. improperly handles HTTP Host header values.

Products Affected

  • EC-CUBE 3.0.0 to 3.0.18-p3 (EC-CUBE 3 series)
  • EC-CUBE 4.0.0 to 4.1.1 (EC-CUBE 4 series)

Description

EC-CUBE provided by EC-CUBE CO.,LTD. improperly handles HTTP Host header values (CWE-913).

Impact

A remote attacker may direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.

Solution

Apply Workaround
Apply the following workaround to avoid the impacts of this vulnerability.

  • Set TRUSTED_HOSTS
For more information, refer to the information provided by the developer.

Update the software and add the settings
The developer has released EC-CUBE 4.1.2 (for EC-CUBE 4 series) which provides the user interface to configure TRUSTED_HOSTS.
Configure TRUSTED_HOSTS from [Admin Console > Settings > System Settings > Security].
According to the developer, TRUSTED_HOSTS is automatically configured when EC-CUBE 4.1.2 is newly installed.

Vendor Status

Vendor Status Last Update Vendor Notes
EC-CUBE CO.,LTD. Vulnerable 2022/02/22 EC-CUBE CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 3.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-25355
JVN iPedia JVNDB-2022-000015