JVN#63860183: POWER EGG vulnerability where EL expression may be executed

POWER EGG provided by D-CIRCLE inc. is an integrated collaboration tool. POWER EGG contains a vulnerability where an arbitray EL expression may be executed (CWE-20).

Impact

A remote attacker may execute an arbitrary EL expression from the server where the product is running. As a result, an arbitrary command may be executed.

Solution

Update the Software
Update to the latest version of software according to the information provided by the developer.

Products Affected

• POWER EGG 2.0 Ver 2.0.1
• POWER EGG 2.0 Ver 2.02 Patch 3 and earlier
• POWER EGG 2.0 Ver 2.1 Patch 4 and earlier
• POWER EGG 2.0 Ver 2.2 Patch 7 and earlier
• POWER EGG 2.0 Ver 2.3 Patch 9 and earlier
• POWER EGG 2.0 Ver 2.4 Patch 13 and earlier
• POWER EGG 2.0 Ver 2.5 Patch 12 and earlier
• POWER EGG 2.0 Ver 2.6 Patch 8 and earlier
• POWER EGG 2.0 Ver 2.7 Patch 6 and earlier
• POWER EGG 2.0 Ver 2.7 Government Edition Patch 7 and earlier
• POWER EGG 2.0 Ver 2.8 Patch 6 and earlier
• POWER EGG 2.0 Ver 2.8c Patch 5 and earlier
• POWER EGG 2.0 Ver 2.9 Patch 4 and earlier
  POWER EGG 2.0 Ver2.10c, POWER EGG 2.0 Ver2.11c, and POWER EGG 3.0 are not affected by this vulnerability.