Published:2019/02/27  Last Updated:2019/02/27

JVN#56542712
Multiple vulnerabilities in Nablarch

Overview

Nablarch contains multiple vulnerabilities.

Products Affected

  • Nablarch 5 (5, and 5u1 to 5u13)

Description

Nablarch provided by TIS Inc. contains multiple vulnerabilities listed below.

  • The vulnerability in the function of generic formatter by XXE attacks (CWE-611) - CVE-2019-5918
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Base Score: 8.2
    CVSS v2 AV:N/AC:L/AU:N/C:P/I:N/A:C Base Score: 8.5
  • An incomplete cryptography of the data store function by using hidden tag (CWE-310) - CVE-2019-5919
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 4.8
    CVSS v2 AV:N/AC:H/AU:N/C:P/I:P/A:N Base Score: 4.0

Impact

  • An XXE attack may be conducted by a remote attacker. As a resut, information leakage may occur or the system may stop - CVE-2019-5918
  • Information of the stored data may be obtained and  invalid value may be registered or the value may be altered - CVE-2019-5919

Solution

Apply an Update
Update to the latest version according to the information provided by the developer.

Apply a Workaround
Please refer to the developer's information for the details.

Vendor Status

Vendor Status Last Update Vendor Notes
TIS Inc. Vulnerable 2019/02/27

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

TIS Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and TIS Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-5918
CVE-2019-5919
JVN iPedia JVNDB-2019-000012