JVN#56542712: Multiple vulnerabilities in Nablarch

Overview

Nablarch contains multiple vulnerabilities.

Products Affected

Nablarch 5 (5, and 5u1 to 5u13)

Description

Nablarch provided by TIS Inc. contains multiple vulnerabilities listed below.

The vulnerability in the function of generic formatter by XXE attacks (CWE-611) - CVE-2019-5918

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Base Score: 8.2

CVSS v2 AV:N/AC:L/AU:N/C:P/I:N/A:C Base Score: 8.5
An incomplete cryptography of the data store function by using hidden tag (CWE-310) - CVE-2019-5919

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score: 4.8

CVSS v2 AV:N/AC:H/AU:N/C:P/I:P/A:N Base Score: 4.0

Impact

An XXE attack may be conducted by a remote attacker. As a resut, information leakage may occur or the system may stop - CVE-2019-5918
Information of the stored data may be obtained and invalid value may be registered or the value may be altered - CVE-2019-5919

Solution

Apply an Update
Update to the latest version according to the information provided by the developer.

Apply a Workaround
Please refer to the developer's information for the details.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
TIS Inc.	Vulnerable	2019/02/27

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

TIS Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and TIS Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2019-5918
	CVE-2019-5919
JVN iPedia	JVNDB-2019-000012

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H	Base Score: 8.2
CVSS v2	AV:N/AC:L/AU:N/C:P/I:N/A:C	Base Score: 8.5

CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N	Base Score: 4.8
CVSS v2	AV:N/AC:H/AU:N/C:P/I:P/A:N	Base Score: 4.0

JVN#56542712 Multiple vulnerabilities in Nablarch