Published:2022/08/23  Last Updated:2022/08/23

JVNVU#96002401
Multiple vulnerabilities in PukiWiki

Overview

PukiWiki provided by PukiWiki Development Team contains multiple vulnerabilities.

Products Affected

CVE-2022-34486

  • PukiWiki versions 1.4.5 to 1.5.3
CVE-2022-27637
  • PukiWiki versions 1.5.1 to 1.5.3

Description

PukiWiki provided by PukiWiki Development Team contains multiple vulnerabilities listed below.

  • Path Traversal (CWE-22) - CVE-2022-34486
    CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N Base Score: 7.7
  • Reflected Cross-site Scripting (CWE-79) - CVE-2022-27637
    CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

Impact

  • An administrator of the product may execute a malicious script - CVE-2022-34486
  • An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2022-27637

Solution

Update the Software
Update the Software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been fixed in version 1.5.4.

Vendor Status

Vendor Link
PukiWiki Development Team PukiWiki/Errata (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Harold Kim reported these vulnerabilities to the developer and coordinated. After coordination was completed, this case was reported to JPCERT/CC and JPCERT/CC coordinated with the developer for the publication.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-34486
CVE-2022-27637
JVN iPedia