[Japanese]

JVNDB-2015-000147

AjaXplorer vulnerable to directory traversal

Overview

AjaXplorer contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.

Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Pydio
  • AjaXplorer

This vulnerability was confirmed to exist in version 2.0 by the reporter. Note that other versions may be affected.
Impact

An authenticated attacker may view files on the server.
Solution

[Use Pydio]
The developer states that the development of AjaXplorer has been discontinued and there are no plans for AjaXplorer to be updated.
Use Pydio, the successor of AjaXplorer.
Vendor Information

Pydio
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-5650
References

  1. JVN : JVN#27462572
  2. National Vulnerability Database (NVD) : CVE-2015-5650
Revision History

  • [2015/10/01]
      Web page was published
    [2015/10/07]
      References : Content was added