|
[Japanese]
|
JVNDB-2020-000059
|
CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)
|
|
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection (XXE) vulnerability (CWE-611).
NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
|
|
|
NEC Corporation
- EXPRESSCLUSTER X 4.2 for Windows and earlier
|
|
|
By reading a specially crafted XML files, an arbitrary file on the server may be read by the attacker.
|
|
[Update the Software]
The following updates are available. Update the software to the appropriate versions according to the information provided by the developer.
* CLUSTERPRO X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08)
* EXPRESSCLUSTER X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08E)
[Apply a Workaround]
Applying the following workarounds may mitigate the impacts of this vulnerability.
*Enable access restriction by IP address
*Enable access restriction by password
*Enable connection by HTTPS
|
|
NEC Corporation
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2020-17408
|
|
- JVN : JVN#06446084
- National Vulnerability Database (NVD) : CVE-2020-17408
|
|
- [2020/08/31]
Web page was published
|
