Published:2021/03/08 Last Updated:2021/09/22
JVNVU#94889258
Multiple vulnerabilities in GROWI
Overview
GROWI contains multiple vulnerabilities.
Products Affected
CVE-2021-20667, CVE-2021-20668, CVE-2021-20669, CVE-2021-20670, CVE-2021-20671
- GROWI versions v4.2.2 and earlier
- GROWI versions v4.2.19 and earlier
Description
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
- Stored Cross-site Scripting (CWE-79) - CVE-2021-20667
CVSS v3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N Base Score: 3.7 - Path Traversal (CWE-22) - CVE-2021-20668
CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N Base Score: 3.0 - Path Traversal (CWE-22) - CVE-2021-20669
CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H Base Score: 6.2 - Improper Access Control (CWE-284) - CVE-2021-20670
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Base Score: 5.8 - Improper Input Validation (CWE-20) - CVE-2021-20671
CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Base Score: 7.6 - Cross-site Scripting (CWE-79) - CVE-2021-20829
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Base Score: 4.6
Impact
- Inadequate CSP (Content Security Policy) configuration allows a remote attacker to execute an arbitrary script on the web browser of the user who accesses an attached file containing a specially crafted content - CVE-2021-20667
- An arbitrary path can be read if a remote attacker with administrative privilege accesses the affected product via a specially crafted URL - CVE-2021-20668
- An arbitrary path can be read and/or deleted if a remote attacker with administrative privilege sends a specially crafted request - CVE-2021-20669
- Improper access control of files allows an unauthenticated remote attacker to read the user's personal information and/or server's internal information - CVE-2021-20670
- Invalid file validation on the upload feature allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution - CVE-2021-20671
- Inadequate tag sanitization allows a remote attacker to execute an arbitrary script on the web browser of the user who accesses a specially crafted page - CVE-2021-20829
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities were fixed in the following software version.
- GROWI v4.2.20
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| WESEEK, Inc. | Vulnerable | 2021/09/15 | WESEEK, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
stypr of Flatt Security Inc. reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20667 |
|
CVE-2021-20668 |
|
|
CVE-2021-20669 |
|
|
CVE-2021-20670 |
|
|
CVE-2021-20671 |
|
|
CVE-2021-20829 |
|
| JVN iPedia |
|
Update History
- 2021/09/15
- WESEEK, Inc. update status
- 2021/09/15
- WESEEK, Inc. update status
- 2021/09/15
- WESEEK, Inc. update status
- 2021/09/15
- WESEEK, Inc. update status
- 2021/09/15
- WESEEK, Inc. update status
- 2021/09/17
- Added CVE-2021-20829 vulnerability information thereby updated the information under [Products Affected], [Description], [Impact], [Solution], and [Other Information] sections.
- 2021/09/22
- Fixed the typo under the section [Impact].
- 2021/09/22
- Fixed the typo under the section [Update History].