CVE-2023-27384: Multiple vulnerabilities in Cybozu Garoon

Published:2023/05/15 Last Updated:2023/05/15

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

[CyVDB-3122]

• Cybozu Garoon 4.10.0 to 5.9.2

[CyVDB-3142]

• Cybozu Garoon 4.6.0 to 5.9.2

[CyVDB-3165]

• Cybozu Garoon 5.15.0

Description

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

• [CyVDB-3122] Denial-of-service (DoS) in Message (CWE-400) - CVE-2023-26595

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

  Base Score: 5.0

  CVSS v2

  AV:N/AC:L/Au:S/C:N/I:N/A:P

  Base Score: 4.0

• [CyVDB-3142] Operation restriction bypass vulnerability in Message and Bulletin (CWE-285) - CVE-2023-27304

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

  Base Score: 4.3

  CVSS v2

  AV:N/AC:L/Au:S/C:N/I:P/A:N

  Base Score: 4.0

• [CyVDB-3165] Operation restriction bypass vulnerability in MultiReport (CWE-284) - CVE-2023-27384

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

  Base Score: 4.3

  CVSS v2

  AV:N/AC:L/Au:S/C:N/I:P/A:N

  Base Score: 4.0

Impact

• [CyVDB-3122]:
  A user who can log in to the product may be able to cause a denial-of-service (DoS) condition.
• [CyVDB-3142]:
  A user who can log in to the product may alter the data of Message and/or Bulletin.
• [CyVDB-3165]:
  A user who can log in to the product may alter the data of MultiReport.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2023-27384
Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2023-26595, CVE-2023-27304
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information