CVE-2021-20670 – CVE-2021-20670 is an improper access control vu... (How to Fix)

Q: What is the severity of CVE-2021-20670?

CVE-2021-20670 has a CVSS score of 7.5 (HIGH). CVE-2021-20670 is an improper access control vulnerability in GROWI wiki software that allows unauthenticated remote attackers to read user personal information and server internal data. This affects GROWI versions v4.2.2 and earlier. The vulnerability enables unauthorized access to sensitive information without requiring authentication.

📋 TL;DR

CVE-2021-20670 is an improper access control vulnerability in GROWI wiki software that allows unauthenticated remote attackers to read user personal information and server internal data. This affects GROWI versions v4.2.2 and earlier. The vulnerability enables unauthorized access to sensitive information without requiring authentication.

💻 Affected Systems

Products:

GROWI

Versions: v4.2.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All GROWI deployments running affected versions are vulnerable regardless of configuration.

📦 What is this software?

Growi by Weseek

View all CVEs affecting Growi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access all user personal data, internal server information, and potentially use this information for further attacks or data breaches.

🟠

Likely Case

Unauthenticated attackers reading user profiles, email addresses, and internal system information exposed through the GROWI application.

🟢

If Mitigated

Limited to authenticated users only accessing authorized information with proper access controls enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows unauthenticated access but specific exploit vectors are unspecified in public disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.2.3 and later

Vendor Advisory: https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/

Restart Required: Yes

Instructions:

1. Backup your GROWI data and configuration. 2. Update GROWI to version 4.2.3 or later. 3. Restart the GROWI service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to GROWI instances to trusted IP addresses only

iptables -A INPUT -p tcp --dport 3000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate GROWI instances from untrusted networks
Deploy a web application firewall (WAF) with rules to detect and block unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check GROWI version via admin panel or by examining package.json file for version number

Check Version:

grep version /path/to/growi/package.json

Verify Fix Applied:

Confirm GROWI version is 4.2.3 or later and test that unauthenticated users cannot access user information

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests accessing user profile endpoints
Multiple failed authentication attempts followed by successful information access

Network Indicators:

Unusual traffic patterns to GROWI user data endpoints from unauthenticated sources

SIEM Query:

source="growi" AND (uri_path="/user/*" OR uri_path="/api/v3/user/*") AND http_status=200 AND NOT authenticated_user=*

📊 Metadata

CVE ID: CVE-2021-20670

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: March 10, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/vu/JVNVU94889258/index.html Third Party Advisory
https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/ Vendor Advisory
https://jvn.jp/en/vu/JVNVU94889258/index.html Third Party Advisory
https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON