[Japanese]

JVNDB-2015-000023

Speed Software Root Explorer and Explorer vulnerable to directory traversal

Overview

Root Explorer and Explorer provided by Speed Software contain an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.

Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Speed Software
  • Explorer versions prior to 2.2
  • Root Explorer versions prior to 3.2

Impact

A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the applications have privileges to access.
Solution

[Update the Software]
Apply the latest update for each application according to the information provided by the developer.
Vendor Information

Speed Software
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-9282
References

  1. JVN : JVN#42768331
  2. National Vulnerability Database (NVD) : CVE-2014-9282
Revision History

  • [2015/02/24]
      Web page was published
    [2015/02/26]
      References : Content was added