Published: 2020/12/15  Last Updated: 2020/12/15

Information from WESEEK, Inc.

Vulnerability ID:JVN#94169589
Title:Multiple vulnerabilities in GROWI
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

[Summary]
GROWI is developed by WESEEK, Inc.
GROWI contains some bugs.

[Affected Products]
Those bug affect GROWI releases prior to v4.2.3 (v4.2.x)
Those bug affect GROWI releases prior to v4.1.12 (v4.1.x)

CVE-2020-5682
・GROWI v4.2.2 and earlier (v4.2.x)
・GROWI v4.1.11 and earlier (v4.1.x)
・GROWI v3 series and earlier

CVE-2020-5683
・GROWI v4.2.2 and earlier (v4.2.x)
・GROWI v4.1.11 and earlier (v4.1.x)
・GROWI v3 series and earlier

[Description]

There is a denial of service (DoS) attack vulnerability due to lack of input value validation.
There is a directory traversal vulnerability due to lack of uploaded files validation.

[Impact]

Denial of service (DoS) attacks can be triggered.
Data can be tampered with by uploading crafted files.

[Solution]
v4.2.x user should update GROWI to v4.2.3 or later.
v4.1.x user should update GROWI to v4.1.12 or later.

[Where to get the updated version]
[GitHub](https://github.com/weseek/growi)
[Docker Hub](https://hub.docker.com/r/weseek/growi/)