Published:2018/12/10  Last Updated:2018/12/10

Multiple vulnerabilities in Cybozu Remote Service


Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected


  • Cybozu Remote Service 3.0.0 to 3.1.0
CVE-2018-16170, CVE-2018-16171, CVE-2018-16172
  • Cybozu Remote Service 3.0.0 to 3.1.8
According to the developer, CVE-2018-16170 is confirmed only for Windows.


Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • Upload of arbitrary files in logo setting screen (CWE-434) - CVE-2018-16169
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
  • Directory traversal in used device management screen (CWE-22) - CVE-2018-16170
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H Base Score: 9.6
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:P Base Score: 5.5
  • Directory traversal in client certificates registration function (CWE-22) - CVE-2018-16171
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.5
    CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P Base Score: 5.1
  • Improper countermeasure against clickjacking attack in client certificates management screen (CWE-451) - CVE-2018-16172
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Base Score: 6.5
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6


  • Arbitrary Java code may be executed on the server. - CVE-2018-16169, CVE-2018-16171
  • Arbitrary files on the server may be deleted. - CVE-2018-16170
  • A user is tricked to delete registered client certificates. - CVE-2018-16172


Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2018/12/10 Cybozu, Inc. website


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC


Cybozu, Inc. reported CVE-2018-16169 vulnerability to JPCERT/CC to notify users of the solution through JVN.

Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported CVE-2018-16170 and CVE-2018-16171 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

Kanta Nishitani reported CVE-2018-16172 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2018-16169
JVN iPedia JVNDB-2018-000126