Published:2020/12/15  Last Updated:2020/12/15

JVN#94169589
Multiple vulnerabilities in GROWI

Overview

GROWI contains multiple vulnerabilities.

Products Affected

  • GROWI versions prior to v4.2.3 (v4.2 Series)
  • GROWI versions prior to v4.1.12 (v4.1 Series)
  • GROWI v3 series and earlier

Description

GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.

  • Denial-of-service (DoS) due to improper verification of input values (CWE-400) - CVE-2020-5682
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P Base Score: 5.0
  • Directory traversal due to improper verification of uploaded files (CWE-22) - CVE-2020-5683
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3

Impact

  • A remote attacker may be able to cause a denial-of-service (DoS) condition. - CVE-2020-5682
  • When a specially crafted file is uploaded, data in the product may be altered. - CVE-2020-5683

Solution

Update the Software
Update to the appropriate version according to the information provided by the developer.

The developer recommends users to upgrade the product to v4.2 series because v3 series and earlier are End-of-Support and no patches available.

Vendor Status

Vendor Status Last Update Vendor Notes
WESEEK, Inc. Vulnerable 2020/12/15

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

These vulnerabilities were reported by the following persons to IPA, and JPCERT/CC coordinated coordinated with the developer under Information Security Early Warning Partnership.

CVE-2020-5682
Norihide Saito of Information Science College / Flatt Security inc.

CVE-2020-5683
Daisuke Takahashi of CyberAgent, Inc.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5682
CVE-2020-5683
JVN iPedia JVNDB-2020-000085