Published:2021/04/01  Last Updated:2021/04/01

JVN#73236007
Archive collectively operation utility vulnerable to directory traversal

Overview

Archive collectively operation utility contains a directory traversal vulnerability.

Products Affected

  • Archive collectively operation utility Ver.2.10.1.0 and earlier

Description

Archive collectively operation utility provided by EikiSoft contains a directory traversal vulnerability (CWE-22) due to a flaw in the processing of the filenames when extracting from ZIP archives.

Impact

By expanding a malicious ZIP archive, arbitrary files may be created or overwritten with the application's privilege.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
EikiSoft Vulnerable 2021/04/01 EikiSoft website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 3.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

apple502j reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20692
JVN iPedia JVNDB-2021-000029