Published:2021/06/14 Last Updated:2021/06/14
JVN#95457785
Multiple vulnerabilities in GROWI
Overview
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities.
Products Affected
- GROWI versions prior to v4.2.20
Description
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
- NoSQL injection (CWE-943) - CVE-2021-20736
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 7.3 CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5 - Improper authentication (CWE-287) - CVE-2021-20737
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
Impact
- A user who can access the product may obtain and/or alter the information stored in the database - CVE-2021-20736
- A user who can login to the product may view the unauthorized pages without access privileges - CVE-2021-20737
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the fixed version v4.2.20.
The developer recommends users to upgrade the software to v4.2 series because v3 series and earlier are no longer supported (End-of-Support), thus no updates/patches are provided for those series.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| WESEEK, Inc. | Vulnerable | 2021/06/14 | WESEEK, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20736 |
|
CVE-2021-20737 |
|
| JVN iPedia |
JVNDB-2021-000050 |