[Japanese]

JVNDB-2018-000104

Multiple vulnerabilities in FileZen

Overview

FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains multiple vulnerabilities listed below.

* Directory traversal (CWE-22) - CVE-2018-0693
* OS command injection (CWE-78) - CVE-2018-0694

Soliton Systems K.K. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 10.0 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 10.0 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2018-0694

CVSS V3 Severity:
Base Metrics: 9.1 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 9.4 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0693
Affected Products


Soliton Systems K.K.
  • FileZen V3.0.0 to V4.2.1

Impact

* A remote unauthenticated attacker may upload an arbitrary file in the specific directory in FileZen - CVE-2018-0693
* A remote unauthenticated attacker may execute an arbitrary OS command - CVE-2018-0694
Solution

[Update the Software]
Update to the software to the latest version according to the information provided by the developer.
Vendor Information

Soliton Systems K.K.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
  2. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2018-0693
  2. CVE-2018-0694
References

  1. JVN : JVN#95355683
  2. National Vulnerability Database (NVD) : CVE-2018-0693
  3. National Vulnerability Database (NVD) : CVE-2018-0694
  4. IPA SECURITY ALERTS : Security Alert for Vulnerabilities in FileZen (in Japanese)
Revision History

  • [2018/10/15]
      Web page was published
  • [2019/07/26]
      References : Content was added

Date Public2018/10/15
Date First Published2018/10/15
Date Last Updated2019/07/26