CVE-2021-20796

Vulnerability

A path traversal vulnerability (CWE-22) exists in the management screen of Cybozu Remote Service 3.1.8 [1][2]. An authenticated remote attacker can exploit unspecified vectors to traverse directories and upload arbitrary files to locations outside the intended upload directory. According to [1], the CVSS v3 base score is 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L), while [2] rates it as 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). The affected version is exclusively 3.1.8 [1][2].

Exploitation

An attacker must have valid credentials to access the management screen (PR:L) and network access [1][2]. The attack requires no user interaction (UI:N). The exact steps are not disclosed by the vendor to prevent misuse [2]; however, the flaw allows directory traversal through the file upload functionality, enabling the attacker to specify a path that escapes the designated upload folder.

Impact

Successful exploitation allows the attacker to upload arbitrary files to arbitrary locations on the server [2]. This can lead to integrity compromise (e.g., overwriting configuration files or uploading malicious scripts) and availability degradation (e.g., replacing critical files that cause service disruption) [1][2]. There is no direct confidentiality impact [1].

Mitigation

Cybozu released version 4.0.0 on 2021-09-29 to fix this vulnerability [2]. Users should upgrade to 4.0.0 or later. No workaround or EOL status is mentioned in the references; the product remains supported [1][2]. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.