JVN#00712821
Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools
Overview
tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability.
Products Affected
- tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0)
- tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0
Description
tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).
Impact
By reading a specially crafted XML file, arbitrary files which meet a certain condition may be obtained by an attacker.
Solution
Update the software
For tsClinical Metadata Desktop Tools, the developer has released tsClinical Metadata Desktop Tools Version 1.1.1 that addresses this vulnerability.
Update the software according to the information provided by the developer.
Switch to the alternative product
tsClinical Define.xml Generator's development ended and no updates are planned to be provided.
The developer recommends stop using the product and switching to tsClinical Metadata Desktop Tools.
Apply the workaround
Applying the following workaround may mitigate the impacts of this vulnerability.
- Do not use the following menus or read suspicious XML files in the following menus.
- tsClinical Define.xml Generator:
- Import Define.xml
- Validate against XML Schema
- tsClinical Metadata Desktop Tools:
- Convert from Define-XML to Excel
- Convert from XML to HTML
- Convert from ODM-XML to Excel
- Validate against XML Schema
- tsClinical Define.xml Generator:
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Toyama Taku and Sakaki Ryutaro of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-22377 |
| JVN iPedia |
JVNDB-2023-000017 |