Published:2023/02/14  Last Updated:2023/02/14

JVN#00712821
Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools

Overview

tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability.

Products Affected

  • tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0)
  • tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0
tsClinical Metadata Desktop Tools is open sourced version of tsClinical Define.xml Generator.

Description

tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).

Impact

By reading a specially crafted XML file, arbitrary files which meet a certain condition may be obtained by an attacker.

Solution

Update the software
For tsClinical Metadata Desktop Tools, the developer has released tsClinical Metadata Desktop Tools Version 1.1.1 that addresses this vulnerability.
Update the software according to the information provided by the developer.

Switch to the alternative product
tsClinical Define.xml Generator's development ended and no updates are planned to be provided.
The developer recommends stop using the product and switching to tsClinical Metadata Desktop Tools.

Apply the workaround
Applying the following workaround may mitigate the impacts of this vulnerability.

  • Do not use the following menus or read suspicious XML files in the following menus.
    • tsClinical Define.xml Generator:
      • Import Define.xml
      • Validate against XML Schema
    • tsClinical Metadata Desktop Tools:
      • Convert from Define-XML to Excel
      • Convert from XML to HTML
      • Convert from ODM-XML to Excel
      • Validate against XML Schema

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Vulnerable 2023/02/14

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score: 2.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:H/Au:N/C:P/I:N/A:N
Base Score: 1.2
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Toyama Taku and Sakaki Ryutaro of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-22377
JVN iPedia JVNDB-2023-000017