[Japanese]

JVNDB-2023-000017

Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools

Overview

tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability (CWE-611).

Toyama Taku and Sakaki Ryutaro of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 2.5 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.2 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


FUJITSU
  • tsClinical Define.xml Generator all versions (v1.0.0 to v1.4.0)
  • tsClinical Metadata Desktop Tools Version 1.0.3 to Version 1.1.0

tsClinical Metadata Desktop Tools is open sourced version of tsClinical Define.xml Generator.
Impact

By reading a specially crafted XML file, arbitrary files which meet a certain condition may be obtained by an attacker.
Solution

[Update the software]
For tsClinical Metadata Desktop Tools, the developer has released tsClinical Metadata Desktop Tools Version 1.1.1 that addresses this vulnerability.
Update the software according to the information provided by the developer.

[Switch to the alternative product]
tsClinical Define.xml Generator's development ended and no updates are planned to be provided.
The developer recommends stop using the product and switching to tsClinical Metadata Desktop Tools.

[Apply the workaround]
Applying the following workaround may mitigate the impacts of this vulnerability.
  • Do not use the following menus or read suspicious XML files in the following menus.
    • tsClinical Define.xml Generator:
      • Import Define.xml
      • Validate against XML Schema
    • tsClinical Metadata Desktop Tools:
      • Convert from Define-XML to Excel
      • Convert from XML to HTML
      • Convert from ODM-XML to Excel
      • Validate against XML Schema
Vendor Information

FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-22377
References

  1. JVN : JVN#00712821
Revision History

  • [2023/02/14]
      Web page was published