CVE-2023-27527: Improper restriction of XML external entity references (XXE) in Shinseiyo Sogo Soft

Published:2023/04/19 Last Updated:2023/04/19

Overview

Shinseiyo Sogo Soft provided by The Ministry of Justice improperly restricts XML external entity references (XXE).

Products Affected

• Shinseiyo Sogo Soft (7.9A) and earlier

Description

Shinseiyo Sogo Soft provided by The Ministry of Justice improperly restricts XML external entity references (XXE) (CWE-611).

Impact

By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical §

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required ®

None (N)

Scope(S)

Unchanged (U)

Changed ©

Confidentiality Impact©

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:H/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact©

None (N)

Partial §

Complete ©

Integrity Impact(I)

None (N)

Partial §

Complete ©

Availability Impact(A)

None (N)

Partial §

Complete ©

Comment

The analysis evaluates “Confidentiality©” as the primary impact where the internal file information is accessible, whereas treating "Integrity(I)" and "Availability(A)" as the secondary impacts.

Credit

Taku Toyama of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information