CVE-2024-21765

Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.cals-ed.go.jp/checksys-release-20231130/	Release Notes
https://jvn.jp/en/jp/JVN77736613/	Third Party Advisory
https://www.ysk.nilim.go.jp/cals/	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::mechanical:::*
	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::dentsu:::*
	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::doboku:::*
	cpe:2.3:a:cals-ed:electronic_delivery_item_inspection_support_system::::::::

History

No history.

Information

Published : 2024-01-24 02:15

Updated : 2024-01-30 22:14

NVD link : CVE-2024-21765

Mitre link : CVE-2024-21765

CVE.ORG link : CVE-2024-21765

JSON object : View

Products Affected

cals-ed

electronic_delivery_item_inspection_support_system
electronic_delivery_check_system

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2024-21765", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-01-24T02:15:07.110", "references": [{"url": "http://www.cals-ed.go.jp/checksys-release-20231130/", "tags": ["Release Notes"], "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN77736613/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://www.ysk.nilim.go.jp/cals/", "tags": ["Product"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker."}, {"lang": "es", "value": "Electronic Delivery Check System (Doboku) versi\u00f3n 18.1.0 y anterior,\nElectronic Delivery Check System (Dentsu) versi\u00f3n 12.1.0 y anterior,\nElectronic Delivery Check System (Kikai) versi\u00f3n 10.1.0 y anterior, y\nElectronic delivery item Inspection Support SystemVer.4.0.31 y anteriores,\nrestringen incorrectamente las referencias de entidades externas XML (XXE). Al procesar un archivo XML especialmente manipulado, un atacante puede leer archivos arbitrarios del sistema."}], "lastModified": "2024-01-30T22:14:09.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:mechanical:*:*:*", "vulnerable": true, "matchCriteriaId": "C64D3573-59E1-4CCD-A761-83D23FD4C2E2", "versionEndExcluding": "11.0.0"}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:dentsu:*:*:*", "vulnerable": true, "matchCriteriaId": "FC3FCDF8-7C2E-4302-971B-4717C6026215", "versionEndExcluding": "13.0.0"}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:doboku:*:*:*", "vulnerable": true, "matchCriteriaId": "E40D18DA-A075-4C2B-8EDA-C2E070F1A46C", "versionEndExcluding": "19.0.0"}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_item_inspection_support_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D31CF60-2F4A-4AEA-AA46-F5E54CFF5A50", "versionEndIncluding": "4.0.31"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}