CVE-2021-20788

Server-side request forgery (SSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote authenticated attacker to conduct a port scan from the product and/or obtain information from the internal Web server.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://groupsession.jp/info/info-news/security202107	Vendor Advisory
https://jvn.jp/en/jp/JVN86026700/index.html	Third Party Advisory
https://groupsession.jp/info/info-news/security202107	Vendor Advisory
https://jvn.jp/en/jp/JVN86026700/index.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:groupsession:groupsession:::::free:::*
	cpe:2.3:a:groupsession:groupsession_bycloud::::::::
	cpe:2.3:a:groupsession:groupsession_zion::::::::

History

21 Nov 2024, 05:47

Type	Values Removed	Values Added
References	~~() https://groupsession.jp/info/info-news/security202107 - Vendor Advisory~~	() https://groupsession.jp/info/info-news/security202107 - Vendor Advisory
References	~~() https://jvn.jp/en/jp/JVN86026700/index.html - Third Party Advisory~~	() https://jvn.jp/en/jp/JVN86026700/index.html - Third Party Advisory

Information

Published : 2021-07-30 14:15

Updated : 2024-11-21 05:47

NVD link : CVE-2021-20788

Mitre link : CVE-2021-20788

CVE.ORG link : CVE-2021-20788

JSON object : View

Products Affected

groupsession

groupsession
groupsession_bycloud
groupsession_zion

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2021-20788", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-07-30T14:15:14.867", "references": [{"url": "https://groupsession.jp/info/info-news/security202107", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN86026700/index.html", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://groupsession.jp/info/info-news/security202107", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://jvn.jp/en/jp/JVN86026700/index.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (SSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote authenticated attacker to conduct a port scan from the product and/or obtain information from the internal Web server."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Server-side request forgery (SSRF) en GroupSession (GroupSession Free edition desde versi\u00f3n 2.2.0 hasta versi\u00f3n anterior a 5.1.0, GroupSession byCloud desde versi\u00f3n 3.0.3 hasta versi\u00f3n anterior a 5.1.0, y GroupSession ZION desde versi\u00f3n 3.0.3 hasta versi\u00f3n anterior a 5.1.0) permite a un atacante remoto autenticado conducir un escaneo de puertos desde el producto y/u obtener informaci\u00f3n del servidor Web interno"}], "lastModified": "2024-11-21T05:47:11.477", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:groupsession:groupsession:*:*:*:*:free:*:*:*", "vulnerable": true, "matchCriteriaId": "BCD711A0-12D3-4FC1-B1F3-084DD5D9721B", "versionEndExcluding": "5.1.0", "versionStartIncluding": "2.20"}, {"criteria": "cpe:2.3:a:groupsession:groupsession_bycloud:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20139ED3-424E-49EB-9D6D-9EAA356C0D96", "versionEndExcluding": "5.1.0", "versionStartIncluding": "3.0.3"}, {"criteria": "cpe:2.3:a:groupsession:groupsession_zion:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F38C4EF-470B-4C54-B57F-7C99AB59BF73", "versionEndExcluding": "5.1.0", "versionStartIncluding": "3.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}