[Japanese]

JVNDB-2021-000095

Multiple improper restriction of XML external entity reference (XXE) vulnerabilities in Office Server Document Converter

Overview

Office Server Document Converter provided by Antenna House, Inc. contains multiple improper restriction of XML external entity reference (XXE) vulnerabilities listed below.

* Improper restriction of XML external entity reference (XXE) (CWE-611) - CVE-2021-20838
Resource exhaustion in the PDF convert server may occur.
* Improper restriction of XML external entity reference (XXE) (CWE-611) - CVE-2021-20839
Massive access to the other servers may occur.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20839

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20838
Affected Products


Antenna House, Inc.
  • Office Server Document Converter V7.2MR4 and earlier
  • Office Server Document Converter V7.1MR7 and earlier

Impact

* By processing a specially crafted XML document, the server which is running the product may cause a denial-of-service (DoS) condition - CVE-2021-20838
* By processing a specially crafted XML document, denial-of-service (DoS) attacks to the other servers may be executed - CVE-2021-20839
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Antenna House, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20838
  2. CVE-2021-20839
References

  1. JVN : JVN#33453839
Revision History

  • [2021/10/28]
      Web page was published

Date Public2021/10/28
Date First Published2021/10/28
Date Last Updated2021/10/28