JVN#98115035
Android App "ELECOM File Manager" vulnerable to directory traversal
Overview
Android App "ELECOM File Manager" contains a directory traversal vulnerability.
Products Affected
- Android App "ELECOM File Manager" all versions
Description
Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability (CWE-22) due to a flaw in the processing of the filenames when extracting the compressed files.
Impact
A remote attacker may create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges.
Solution
Stop using Android App "ELECOM File Manager"
The developer states the product is no longer supported, therefore stop using the product.
According to developer, ELECOM EXtorage Link, the successor to ELECOM File Manager, is not affected by this vulnerability and users are recommended to use ELECOM EXtorage Link.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| ELECOM CO.,LTD. | Vulnerable | 2021/01/26 | ELECOM CO.,LTD. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Ryohei Koike reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20651 |
| JVN iPedia |
JVNDB-2021-000009 |
Update History
- 2021/02/12
- Typo under the section [Description] was corrected.