CVE-2022-41799 - Vulnerability Details - OpenCVE

Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download the markdown data from the pages set to private by the other users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Weseek	Growi

Configuration 1 [-]

OR	cpe:2.3:a:weseek:growi::::::::
	cpe:2.3:a:weseek:growi::::::::

No data.

References

Link	Providers
https://jvn.jp/en/jp/JVN00845253/index.html
https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/

History

Wed, 07 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2022-10-24T00:00:00.000Z

Updated: 2025-05-07T16:12:01.378Z

Reserved: 2022-09-30T00:00:00.000Z

Link: CVE-2022-41799

Vulnrichment

Updated: 2024-08-03T12:56:38.188Z

NVD

Status : Modified

Published: 2022-10-24T14:15:52.687

Modified: 2025-05-07T17:15:57.040

Link: CVE-2022-41799

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41799", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "dateUpdated": "2025-05-07T16:12:01.378Z", "dateReserved": "2022-09-30T00:00:00.000Z", "datePublished": "2022-10-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2022-10-24T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download the markdown data from the pages set to private by the other users."}], "affected": [{"vendor": "WESEEK, Inc.", "product": "GROWI v5 series and v4 series", "versions": [{"version": "versions prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series)", "status": "affected"}]}], "references": [{"url": "https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/"}, {"url": "https://jvn.jp/en/jp/JVN00845253/index.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Improper Access Control"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.188Z"}, "title": "CVE Program Container", "references": [{"url": "https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN00845253/index.html", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T16:11:29.358137Z", "id": "CVE-2022-41799", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T16:12:01.378Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41799", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "dateUpdated": "2025-05-07T16:12:01.378Z", "dateReserved": "2022-09-30T00:00:00.000Z", "datePublished": "2022-10-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2022-10-24T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download the markdown data from the pages set to private by the other users."}], "affected": [{"vendor": "WESEEK, Inc.", "product": "GROWI v5 series and v4 series", "versions": [{"version": "versions prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series)", "status": "affected"}]}], "references": [{"url": "https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/"}, {"url": "https://jvn.jp/en/jp/JVN00845253/index.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Improper Access Control"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.188Z"}, "title": "CVE Program Container", "references": [{"url": "https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN00845253/index.html", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-41799", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T16:11:29.358137Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T16:11:52.160Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weseek:growi:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEA7532A-65FA-4843-92AF-0F8AB307964B", "versionEndExcluding": "4.5.25", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:weseek:growi:*:*:*:*:*:*:*:*", "matchCriteriaId": "06A49745-9A37-491A-9A75-6524CCC4CF83", "versionEndExcluding": "5.1.4", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download the markdown data from the pages set to private by the other users."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inapropiado en GROWI versiones anteriores a 5.1.4 (serie v5) y versiones anteriores a v4.5.25 (serie v4), que permite a un atacante remoto autenticado omitir la restricci\u00f3n de acceso y descargar los datos de markdown de las p\u00e1ginas establecidas como privadas por los dem\u00e1s usuarios"}], "id": "CVE-2022-41799", "lastModified": "2025-05-07T17:15:57.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-10-24T14:15:52.687", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN00845253/index.html"}, {"source": "[email protected]", "tags": ["Product", "Vendor Advisory"], "url": "https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN00845253/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Vendor Advisory"], "url": "https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "[email protected]", "type": "Primary"}]}