CVE-2024-27141

Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. An attacker can exploit the XXE to retrieve information. As for the affected products/models/versions, see the reference URL.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://seclists.org/fulldisclosure/2024/Jul/1
https://jvn.jp/en/vu/JVNVU97136265/index.html
https://www.toshibatec.com/information/20240531_01.html
https://www.toshibatec.com/information/pdf/information20240531_01.pdf

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-14 03:15

Updated : 2024-07-04 05:15

NVD link : CVE-2024-27141

Mitre link : CVE-2024-27141

CVE.ORG link : CVE-2024-27141

JSON object : View

Products Affected

No product.

CWE

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

{"id": "CVE-2024-27141", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2024-06-14T03:15:09.700", "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jul/1", "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0"}, {"url": "https://jvn.jp/en/vu/JVNVU97136265/index.html", "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0"}, {"url": "https://www.toshibatec.com/information/20240531_01.html", "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0"}, {"url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf", "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ecc0f906-8666-484c-bcf8-c3b7520a72f0", "description": [{"lang": "en", "value": "CWE-776"}]}], "descriptions": [{"lang": "en", "value": "Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE) vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. An attacker can exploit the XXE to retrieve information.\u00a0As for the affected products/models/versions, see the reference URL."}, {"lang": "es", "value": "Las impresoras Toshiba utilizan comunicaci\u00f3n XML para el endpoint API proporcionado por la impresora. Para el endpoint, se utiliza la biblioteca de an\u00e1lisis XML y es vulnerable a una vulnerabilidad de entidad externa XML ciega (XXE) basada en el tiempo. Un atacante puede hacer DoS en las impresoras enviando una solicitud HTTP sin autenticaci\u00f3n. Un atacante puede explotar el XXE para recuperar informaci\u00f3n. En cuanto a los productos/modelos/versiones afectados, consulte la URL de referencia."}], "lastModified": "2024-07-04T05:15:11.080", "sourceIdentifier": "ecc0f906-8666-484c-bcf8-c3b7520a72f0"}