Description
tsClinical Metadata Desktop Tools (and former tsClinical Define.xml Generator) has functionality that reads an XML file given by a user to validate the file or to convert the file to another format (Excel or HTML). If the user gives an XML file from a malicious third person to the tool, then a local file that meets specific conditions may be obtained by the third person.
Impact
If an XML file from a malicious third person contains XML External Entity (XXE), then a local file that meets the following conditions may be divulged to the third person:
- The local file path on the PC where this tool is running is known to the attacker.
- The local file content consists of only characters that XXE can load into a URL (i.e. the file is a text file that does not contain line break, ampersand "&", etc.)
Patches
This vulnerability is fixed with tsClinical Metadata Desktop Tools V1.1.1. See the Downloading and Running Binary Distribution section of README.md
or README_ja.md
for how to download and run the tool.
Note: Development of tsClinical Define.xml Generator has ended. Users of tsClinical Define.xml Generator are advised to use the successor tool, tsClinical Metadata Desktop Tools.
Workarounds
A user can work around this vulnerability by the following step:
- Do not use the following menus, or do not read unknown XML files in the following menus.
tsClinical Metadata Desktop Tools |
tsClinical Define.xml Generator |
Convert from Define-XML to Excel |
Import Define.xml |
Convert from XML to HTML |
Validate against XML Schema |
Convert from ODM-XML to Excel |
|
Validate XML against XML Schema |
|
Description
tsClinical Metadata Desktop Tools (and former tsClinical Define.xml Generator) has functionality that reads an XML file given by a user to validate the file or to convert the file to another format (Excel or HTML). If the user gives an XML file from a malicious third person to the tool, then a local file that meets specific conditions may be obtained by the third person.
Impact
If an XML file from a malicious third person contains XML External Entity (XXE), then a local file that meets the following conditions may be divulged to the third person:
Patches
This vulnerability is fixed with tsClinical Metadata Desktop Tools V1.1.1. See the Downloading and Running Binary Distribution section of
README.md
orREADME_ja.md
for how to download and run the tool.Note: Development of tsClinical Define.xml Generator has ended. Users of tsClinical Define.xml Generator are advised to use the successor tool, tsClinical Metadata Desktop Tools.
Workarounds
A user can work around this vulnerability by the following step: