CVE-2014-7954

Name of the Vulnerable Software and Affected Versions: Android version 4.4.4

Description: A directory traversal issue exists in the doSendObjectInfo method in frameworks/av/media/mtp/MtpServer.cpp, allowing physically proximate attackers with a direct connection to the target Android device to upload files outside of the sdcard. This is achieved by including a .. (dot dot) in a name parameter of an MTP request.

Recommendations: For Android version 4.4.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.