CVE-2024-21765 - Vulnerability Details - OpenCVE

ReportizFlow

Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cals-ed	Electronic Delivery Check System Electronic Delivery Item Inspection Support System

Configuration 1 [-]

OR	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::mechanical:::*
	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::dentsu:::*
	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::doboku:::*
	cpe:2.3:a:cals-ed:electronic_delivery_item_inspection_support_system::::::::

No data.

References

Link	Providers
http://www.cals-ed.go.jp/checksys-release-20231130/
https://jvn.jp/en/jp/JVN77736613/
https://www.ysk.nilim.go.jp/cals/

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2024-01-24T01:32:42.611Z

Updated: 2024-08-01T22:27:36.262Z

Reserved: 2024-01-12T07:58:24.236Z

Link: CVE-2024-21765

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-24T02:15:07.110

Modified: 2024-11-21T08:54:58.013

Link: CVE-2024-21765

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21765", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2024-01-12T07:58:24.236Z", "datePublished": "2024-01-24T01:32:42.611Z", "dateUpdated": "2024-08-01T22:27:36.262Z"}, "containers": {"cna": {"affected": [{"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Doboku)", "versions": [{"version": "Ver.18.1.0 and earlier", "status": "affected"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Dentsu)", "versions": [{"version": "Ver.12.1.0 and earlier", "status": "affected"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Kikai)", "versions": [{"version": "Ver.10.1.0 and earlier", "status": "affected"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic delivery item Inspection Support System", "versions": [{"version": "Ver.4.0.31 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker."}], "problemTypes": [{"descriptions": [{"description": "XML external entities (XXE)", "lang": "en", "type": "text"}]}], "references": [{"url": "http://www.cals-ed.go.jp/checksys-release-20231130/"}, {"url": "https://www.ysk.nilim.go.jp/cals/"}, {"url": "https://jvn.jp/en/jp/JVN77736613/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-01-24T01:32:42.611Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.262Z"}, "title": "CVE Program Container", "references": [{"url": "http://www.cals-ed.go.jp/checksys-release-20231130/", "tags": ["x_transferred"]}, {"url": "https://www.ysk.nilim.go.jp/cals/", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN77736613/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:mechanical:*:*:*", "matchCriteriaId": "C64D3573-59E1-4CCD-A761-83D23FD4C2E2", "versionEndExcluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:dentsu:*:*:*", "matchCriteriaId": "FC3FCDF8-7C2E-4302-971B-4717C6026215", "versionEndExcluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:doboku:*:*:*", "matchCriteriaId": "E40D18DA-A075-4C2B-8EDA-C2E070F1A46C", "versionEndExcluding": "19.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_item_inspection_support_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D31CF60-2F4A-4AEA-AA46-F5E54CFF5A50", "versionEndIncluding": "4.0.31", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker."}, {"lang": "es", "value": "Electronic Delivery Check System (Doboku) versi\u00f3n 18.1.0 y anterior,\nElectronic Delivery Check System (Dentsu) versi\u00f3n 12.1.0 y anterior,\nElectronic Delivery Check System (Kikai) versi\u00f3n 10.1.0 y anterior, y\nElectronic delivery item Inspection Support SystemVer.4.0.31 y anteriores,\nrestringen incorrectamente las referencias de entidades externas XML (XXE). Al procesar un archivo XML especialmente manipulado, un atacante puede leer archivos arbitrarios del sistema."}], "id": "CVE-2024-21765", "lastModified": "2024-11-21T08:54:58.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-01-24T02:15:07.110", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "http://www.cals-ed.go.jp/checksys-release-20231130/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN77736613/"}, {"source": "[email protected]", "tags": ["Product"], "url": "https://www.ysk.nilim.go.jp/cals/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "http://www.cals-ed.go.jp/checksys-release-20231130/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN77736613/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.ysk.nilim.go.jp/cals/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "[email protected]", "type": "Primary"}]}