Published:2021/01/26  Last Updated:2021/02/12

JVN#98115035
Android App "ELECOM File Manager" vulnerable to directory traversal

Overview

Android App "ELECOM File Manager" contains a directory traversal vulnerability.

Products Affected

  • Android App "ELECOM File Manager" all versions

Description

Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability (CWE-22) due to a flaw in the processing of the filenames when extracting the compressed files.

Impact

A remote attacker may create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges.

Solution

Stop using Android App "ELECOM File Manager"
The developer states the product is no longer supported, therefore stop using the product.
According to developer, ELECOM EXtorage Link, the successor to ELECOM File Manager, is not affected by this vulnerability and users are recommended to use ELECOM EXtorage Link.

Vendor Status

Vendor Status Last Update Vendor Notes
ELECOM CO.,LTD. Vulnerable 2021/01/26 ELECOM CO.,LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 4.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Ryohei Koike reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20651
JVN iPedia JVNDB-2021-000009

Update History

2021/02/12
Typo under the section [Description] was corrected.