Information from WESEEK, Inc.
Vulnerability ID:JVN#94169589
Title:Multiple vulnerabilities in GROWI
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Summary]
GROWI is developed by WESEEK, Inc.
GROWI contains some bugs.
[Affected Products]
Those bug affect GROWI releases prior to v4.2.3 (v4.2.x)
Those bug affect GROWI releases prior to v4.1.12 (v4.1.x)
CVE-2020-5682
・GROWI v4.2.2 and earlier (v4.2.x)
・GROWI v4.1.11 and earlier (v4.1.x)
・GROWI v3 series and earlier
CVE-2020-5683
・GROWI v4.2.2 and earlier (v4.2.x)
・GROWI v4.1.11 and earlier (v4.1.x)
・GROWI v3 series and earlier
[Description]
There is a denial of service (DoS) attack vulnerability due to lack of input value validation.
There is a directory traversal vulnerability due to lack of uploaded files validation.
[Impact]
Denial of service (DoS) attacks can be triggered.
Data can be tampered with by uploading crafted files.
[Solution]
v4.2.x user should update GROWI to v4.2.3 or later.
v4.1.x user should update GROWI to v4.1.12 or later.
[Where to get the updated version]
[GitHub](https://github.com/weseek/growi)
[Docker Hub](https://hub.docker.com/r/weseek/growi/)
