Published:2022/06/14  Last Updated:2022/06/14

JVNVU#96438711
Growi vulnerable to weak password requirements

Overview

GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability.

Products Affected

  • GROWI versions prior to v5.00

Description

GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236).

Impact

If a user sets a weak password, an attacker may be able to access the user's account and its data via a bruteforce attack.

Solution

Update the software
Update the software to GROWI v5.00 (v5 series) or above according to the information provided by the developer.
The fixed version requires a user to set a longer password at the user registration.

  • GROWI v5.00 or later

Vendor Status

Vendor Status Last Update Vendor Notes
WESEEK, Inc. Vulnerable 2022/06/14 WESEEK, Inc. website

References

  1. huntr
    Weak Password Requirements in weseek/growi

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 6.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia