Published:2018/10/15 Last Updated:2018/10/15
JVN#95355683
Multiple vulnerabilities in FileZen
Critical
Overview
FileZen provided by Soliton Systems K.K. contains multiple vulnerabilities.
Products Affected
- FileZen V3.0.0 to V4.2.1
Description
FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains multiple vulnerabilities listed below.
- Directory traversal (CWE-22) - CVE-2018-0693
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Base Score: 9.1 CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:N Base Score: 9.4 - OS command injection (CWE-78) - CVE-2018-0694
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score: 10.0 CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0
Impact
- A remote unauthenticated attacker may upload an arbitrary file in the specific directory in FileZen - CVE-2018-0693
- A remote unauthenticated attacker may execute an arbitrary OS command - CVE-2018-0694
Solution
Update the Software
Update to the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Soliton Systems K.K. | Vulnerable | 2018/10/15 | Soliton Systems K.K. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Soliton Systems K.K. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2018-0693 |
|
CVE-2018-0694 |
|
| JVN iPedia |
JVNDB-2018-000104 |