[Japanese]

JVNDB-2025-000081

DataSpider Servista improper restriction of XML external entity references

Overview

DataSpider Servista provided by Saison Technology Co.,Ltd. is a data integration software.
DataSpider Servista contains the following vulnerability.
  • Improper restriction of XML external entity reference (CWE-611) - CVE-2025-48006
Shigeaki Tsunoda of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: Low
Affected Products


Saison Technology Co.,Ltd.
  • DataSpider Servista 4.4 and earlier

The developer states that some of DataSpider Servista's OEM products are affected by this vulnerability.
For information on the affected products and the versions, refer to the vendors' advisories from "Vendor Status" of this JVN advisory.
Impact

If a specially crafted request is processed, arbitrary files on the file system where the server application for the product is installed may be read, or may cause a denial-of-service (DoS) condition.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Saison Technology Co.,Ltd. TerraSky Co., Ltd.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-48006
References

  1. JVN : JVN#23423519
Revision History

  • [2025/09/29]
      Web page was published
  • [2025/10/07]
      Affected Products : Content was added
      Vendor Information : Content was added 

Date Public2025/09/29
Date First Published2025/09/29
Date Last Updated2025/10/07