[Japanese]

JVNDB-2021-000009

Android App "ELECOM File Manager" vulnerable to directory traversal

Overview

Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability (CWE-22) due to a flaw in the processing of the filenames when extracting the compressed files.

Ryohei Koike reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


ELECOM CO.,LTD.
  • ELECOM File Manager all versions

Impact

A remote attacker may create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges.
Solution

[Stop using Android App "ELECOM File Manager"]
The developer states the product is no longer supported, therefore stop using the product.
According to developer, ELECOM EXtorage Link, the successor to ELECOM File Manager, is not affected by this vulnerability and users are recommended to use ELECOM EXtorage Link.
Vendor Information

ELECOM CO.,LTD.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20651
References

  1. JVN : JVN#98115035
  2. National Vulnerability Database (NVD) : CVE-2021-20651
Revision History

  • [2021/01/27]
      Web page was published

Date Public2021/01/26
Date First Published2021/01/27
Date Last Updated2021/01/27