JVN#73472345: GRANDIT vulnerable to session management

Overview

GRANDIT contains a vulnerability in session management.

Products Affected

GRANDIT Ver.1.6
GRANDIT Ver.2.0
GRANDIT Ver.2.1
GRANDIT Ver.2.2
GRANDIT Ver.2.3
GRANDIT Ver.3.0

Description

GRANDIT provided by GRANDIT CORPORATION contains a vulnerability in session management (CWE-639).

Impact

A user who can access to the product may impersonate an arbitrary user. As a result, information may be altered or disclosed.

Solution

Apply the Patch
Apply the appropriate patch according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
GRANDIT CORPORATION	Vulnerable	2020/03/02	GRANDIT CORPORATION website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Base Score: 4.2

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N

Base Score: 4.0

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Kazuki Mitobe of FUJISOFT INCORPORATED reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2020-5539
JVN iPedia	JVNDB-2020-000019

JVN#73472345 GRANDIT vulnerable to session management