Published:2023/04/04  Last Updated:2023/04/04

JVN#75742861
Improper restriction of XML external entity references (XXE) in National land numerical information data conversion tool

Overview

National land numerical information data conversion tool provided by Ministry of Land, Infrastructure, Transport and Tourism, Japan (MLIT) improperly restricts XML external entity references (XXE).

Products Affected

  • National land numerical information data conversion tool, all versions

Description

National land numerical information data conversion tool provided by MLIT improperly restricts XML external entity references (XXE) (CWE-611).

Impact

By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.

Solution

Stop using the product
The developer states that the product is no longer publicly available, and recommends users to stop using the product.

Vendor Status

Vendor Link
Ministry of Land, Infrastructure, Transport and Tourism, Japan Provision of National land numerical information data conversion tool suspended (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score: 2.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:H/Au:N/C:P/I:N/A:N
Base Score: 1.2
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

The analysis evaluates "Confidentiality(C)" as the primary impact where the internal file information is accessible, whereas treating "Integrity(I)" and "Availability(A)" as the secondary impacts.

Credit

Taku Toyama and Kohei Matsumoto of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-25955
JVN iPedia JVNDB-2023-000032