CVE-2018-16171

Vulnerability

Cybozu Remote Service versions 3.0.0 through 3.1.8 contain a directory traversal vulnerability (CWE-22) in the client certificates registration function [1][2]. This flaw allows an attacker to traverse directories and access files outside of the intended restricted path [1]. The vulnerability is classified as a path traversal issue, with a high CVSS v3 base score of 7.5 [2]. Affected versions include 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, and 3.1.8 [1].

Exploitation

Exploitation of this vulnerability requires network access but with a high attack complexity (AC:H), meaning the attack scenario may require specific conditions or user interaction (UI:R) [2]. The attacker does not need prior authentication (PR:N) [2]. The exact sequence of steps is not publicly disclosed by the vendor to prevent attacks [1]. However, the vulnerability is leveraged through the client certificates registration function, likely by providing a maliciously crafted path or file name that escapes the intended directory [2].

Impact

Successful exploitation allows a remote attacker to execute arbitrary Java code on the server [2]. This can lead to full compromise of confidentiality, integrity, and availability, as the attacker could read, modify, or delete sensitive data, or disrupt service [1][2]. The impact scope is unchanged (S:U), meaning the damage is confined to the vulnerable component [2].

Mitigation

The vendor addressed this vulnerability in version 3.1.9, released on 2018-11-26 [1]. Users should update immediately to this or any later version. No workarounds are disclosed in the available references. According to the JVN advisory, the fix is included in the latest update [2]. There is no indication that this CVE has been added to the Known Exploited Vulnerabilities catalog at the time of this writing.