Unrated severityNVD Advisory· Published Dec 16, 2020· Updated Aug 4, 2024

CVE-2020-5683

Description

Directory traversal in GROWI allows remote attackers to alter data by uploading a crafted file, affecting versions prior to v4.2.3 and v4.1.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in GROWI allows remote attackers to alter data by uploading a crafted file, affecting versions prior to v4.2.3 and v4.1.12.

Vulnerability

A directory traversal vulnerability exists in GROWI due to improper verification of uploaded files (CWE-22). Affected versions are GROWI v4.2 series prior to v4.2.3, v4.1 series prior to v4.1.12, and all v3 series and earlier. An attacker can upload a specially crafted file that traverses directories, potentially overwriting or modifying files within the application's scope [1].

Exploitation

An attacker must have network access and be able to upload a file to the GROWI instance. According to the CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), no privileges are required, but user interaction is necessary. This likely means an attacker must trick a user with upload permissions into uploading the malicious file, or the attacker themselves may need to be authenticated in cases where file upload is restricted [1].

Impact

Successful exploitation allows the attacker to alter data on the server, resulting in an integrity impact. There is no direct confidentiality or availability impact. The attacker can modify arbitrary files within the GROWI installation, potentially corrupting pages, configurations, or other stored data [1].

Mitigation

The vendor recommends upgrading to GROWI v4.2.3 (v4.2 series) or v4.1.12 (v4.1 series). For v3 series and earlier, no patch is available as these versions are end-of-support. Users should upgrade to a supported series to remediate the vulnerability [1].

References

JVN#94169589: Multiple vulnerabilities in GROWI

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Weseek/Growillm-fuzzy2 versions
<4.2.3+ 1 more
- (no CPE)range: <4.2.3
- (no CPE)range: GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier

Patches

57a8c62f9f9d

Release v4.2.3

https://github.com/weseek/growiGitHub ActionDec 14, 2020via osv

commit

2 files changed · +3 −3

docker/README.md+2 −2 modified

@@ -10,8 +10,8 @@ GROWI Official docker image
 Supported tags and respective Dockerfile links
 ------------------------------------------------
 
-* [`4.2.0`, `4.2`, `4`, `latest` (Dockerfile)](https://github.com/weseek/growi/blob/v4.2.0/docker/Dockerfile)
-* [`4.2.0-nocdn`, `4.2-nocdn`, `4-nocdn`, `latest-nocdn` (Dockerfile)](https://github.com/weseek/growi/blob/v4.2.0/docker/Dockerfile)
+* [`4.2.3`, `4.2`, `4`, `latest` (Dockerfile)](https://github.com/weseek/growi/blob/v4.2.3/docker/Dockerfile)
+* [`4.2.3-nocdn`, `4.2-nocdn`, `4-nocdn`, `latest-nocdn` (Dockerfile)](https://github.com/weseek/growi/blob/v4.2.3/docker/Dockerfile)
 * [`4.1.10`, `4.1` (Dockerfile)](https://github.com/weseek/growi/blob/v4.1.10/docker/Dockerfile)
 * [`4.1.10-nocdn`, `4.1-nocdn` (Dockerfile)](https://github.com/weseek/growi/blob/v4.1.10/docker/Dockerfile)
 * [`3.8.0`, `3.8`, `3` (Dockerfile)](https://github.com/weseek/growi/blob/v3.8.0/docker/Dockerfile)

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "growi",
-  "version": "4.2.3-RC",
+  "version": "4.2.3",
   "description": "Team collaboration software using markdown",
   "tags": [
     "wiki",

f1d7cc3d26a0

Release v4.1.12

https://github.com/weseek/growiGitHub ActionDec 14, 2020via osv

commit

2 files changed · +3 −3

docker/README.md+2 −2 modified

@@ -10,8 +10,8 @@ GROWI Official docker image
 Supported tags and respective Dockerfile links
 ------------------------------------------------
 
-* [`4.1.0`, `4.1`, `4`, `latest` (Dockerfile)](https://github.com/weseek/growi/blob/v4.1.0/docker/Dockerfile)
-* [`4.1.0-nocdn`, `4.1-nocdn`, `4-nocdn`, `latest-nocdn` (Dockerfile)](https://github.com/weseek/growi/blob/v4.1.0/docker/Dockerfile)
+* [`4.1.12`, `4.1`, `4`, `latest` (Dockerfile)](https://github.com/weseek/growi/blob/v4.1.12/docker/Dockerfile)
+* [`4.1.12-nocdn`, `4.1-nocdn`, `4-nocdn`, `latest-nocdn` (Dockerfile)](https://github.com/weseek/growi/blob/v4.1.12/docker/Dockerfile)
 * [`4.0.11`, `4.0`(Dockerfile)](https://github.com/weseek/growi/blob/v4.0.11/docker/Dockerfile)
 * [`4.0.11-nocdn`, `4.0-nocdn` (Dockerfile)](https://github.com/weseek/growi/blob/v4.0.11/docker/Dockerfile)
 * [`3.8.0`, `3.8`, `3` (Dockerfile)](https://github.com/weseek/growi/blob/v3.8.0/docker/Dockerfile)

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "growi",
-  "version": "4.1.12-RC",
+  "version": "4.1.12",
   "description": "Team collaboration software using markdown",
   "tags": [
     "wiki",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

hub.docker.com/r/weseek/growi/mitrex_refsource_MISC
jvn.jp/en/jp/JVN94169589/index.htmlmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000