Android App "ELECOM File Manager" vulnerable to directory traversal


Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability (CWE-22) due to a flaw in the processing of the filenames when extracting the compressed files.

Ryohei Koike reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • ELECOM File Manager all versions


A remote attacker may create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges.

[Stop using Android App "ELECOM File Manager"]
The developer states the product is no longer supported, therefore stop using the product.
According to developer, ELECOM EXtorage Link, the successor to ELECOM File Manager, is not affected by this vulnerability and users are recommended to use ELECOM EXtorage Link.
Vendor Information

CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20651

  1. JVN : JVN#98115035
Revision History

  • [2021/01/27]
      Web page was published