JVN#28331227
MaruUo Factory's multiple AttacheCase products vulnerable to directory traversal
Overview
MaruUo Factory's multiple AttacheCase products contain a directory traversal vulnerability.
Products Affected
- AttacheCase for Java Ver0.60 and earlier
- AttacheCase Lite Ver1.4.6 and earlier
- AttacheCase Pro Ver1.5.7 and earlier
Description
Multiple AttacheCase products provided by MaruUo Factory contain a directory traversal vulnerability (CWE-22) due to a flaw in processing filenames in ATC files.
Impact
Decrypting a crafted ATC file may result in creation of an arbitrary file or overwriting of an existing file.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
When updating AttacheCase for Java from Ver0.60 or a prior version, delete the old version first, then install Ver0.62 or the later version.
Vendor Status
| Vendor | Link |
| MaruUo Factory | Path traversal vulnerability |
| AttacheCase Lite - App Store | |
| AttacheCase Pro - App Store |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Kazuki Furukawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-7843 |
| JVN iPedia |
JVNDB-2017-000009 |