Published:2021/10/28 Last Updated:2021/10/28
JVN#33453839
Multiple improper restriction of XML external entity reference (XXE) vulnerabilities in Office Server Document Converter
Overview
Office Server Document Converter provided by Antenna House, Inc. contains multiple improper restriction of XML external entity reference (XXE) vulnerabilities.
Products Affected
- Office Server Document Converter
- V7.2MR4 and earlier
- V7.1MR7 and earlier
Description
Office Server Document Converter provided by Antenna House, Inc. contains multiple improper restriction of XML external entity reference (XXE) vulnerabilities listed below.
- Improper restriction of XML external entity reference (XXE) (CWE-611) - CVE-2021-20838
Resource exhaustion in the PDF convert server may occur.CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score: 5.3 CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P Base Score: 5.0 - Improper restriction of XML external entity reference (XXE) (CWE-611) - CVE-2021-20839
Massive access to the other servers may occur.CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L Base Score: 7.2 CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:P Base Score: 6.4
Impact
- By processing a specially crafted XML document, the server which is running the product may cause a denial-of-service (DoS) condition - CVE-2021-20838
- By processing a specially crafted XML document, denial-of-service (DoS) attacks to the other servers may be executed - CVE-2021-20839
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Antenna House, Inc. | Denial of Service (DoS) Vulnerability in Office Server Document Converter (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20838 |
|
CVE-2021-20839 |
|
| JVN iPedia |
JVNDB-2021-000095 |