[Japanese]

JVNDB-2023-000032

Improper restriction of XML external entity references (XXE) in National land numerical information data conversion tool

Overview

National land numerical information data conversion tool provided by MLIT improperly restricts XML external entity references (XXE) (CWE-611).

Taku Toyama and Kohei Matsumoto of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 2.5 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.2 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Ministry of Land, Infrastructure, Transport and Tourism
  • National land numerical information data conversion tool all versions

Impact

By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.
Solution

[Stop using the product]
The developer states that the product is no longer publicly available, and recommends users to stop using the product.
Vendor Information

Ministry of Land, Infrastructure, Transport and Tourism
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-25955
References

  1. JVN : JVN#75742861
  2. National Vulnerability Database (NVD) : CVE-2023-25955
Revision History

  • [2023/04/04]
      Web page was published
  • [2024/06/04]
      References : Content was added