RakRak Document Plus vulnerable to path traversal


RakRak Document Plus provided by Sumitomo Electric Information Systems Co., Ltd. contains a path traversal vulnerability (CWE-22).

Asato Masamu of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.7 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Sumitomo Electric Information Systems Co., Ltd.
  • RakRak Document Plus Ver. to Ver.

The developer states that RakRak Document Plus Ver. is not affected by this vulnerability.

Arbitrary files on the server may be obtained or deleted by a user of the product with specific privileges.

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer released "Rakuraku Document Plus Ver." on January 17, 2024, which contains a fix for this vulnerability.

[Apply the Patch]
The developer released patches for the affected versions.

[Apply the Workaround]
The developer also recommends users apply the workaround.

For more information, refer to the information provided by the developer.
Vendor Information

Sumitomo Electric Information Systems Co., Ltd.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-49108

  1. JVN : JVN#46895889
  2. National Vulnerability Database (NVD) : CVE-2023-49108
Revision History

  • [2023/12/04]
      Web page was published
  • [2024/01/24]
      Solution was modified