CVE-2024-21765 - Vulnerability Details - OpenCVE

Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cals-ed	Electronic Delivery Check System Electronic Delivery Item Inspection Support System

Configuration 1 [-]

OR	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::mechanical:::*
	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::dentsu:::*
	cpe:2.3:a:cals-ed:electronic_delivery_check_system:::::doboku:::*
	cpe:2.3:a:cals-ed:electronic_delivery_item_inspection_support_system::::::::

No data.

References

Link	Providers
http://www.cals-ed.go.jp/checksys-release-20231130/
https://jvn.jp/en/jp/JVN77736613/
https://www.ysk.nilim.go.jp/cals/

History

Fri, 20 Jun 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2024-01-24T01:32:42.611Z

Updated: 2025-06-20T19:26:21.223Z

Reserved: 2024-01-12T07:58:24.236Z

Link: CVE-2024-21765

Vulnrichment

Updated: 2024-08-01T22:27:36.262Z

NVD

Status : Modified

Published: 2024-01-24T02:15:07.110

Modified: 2025-06-20T20:15:28.683

Link: CVE-2024-21765

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21765", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2024-01-12T07:58:24.236Z", "datePublished": "2024-01-24T01:32:42.611Z", "dateUpdated": "2025-06-20T19:26:21.223Z"}, "containers": {"cna": {"affected": [{"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Doboku)", "versions": [{"version": "Ver.18.1.0 and earlier", "status": "affected"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Dentsu)", "versions": [{"version": "Ver.12.1.0 and earlier", "status": "affected"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Kikai)", "versions": [{"version": "Ver.10.1.0 and earlier", "status": "affected"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic delivery item Inspection Support System", "versions": [{"version": "Ver.4.0.31 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker."}], "problemTypes": [{"descriptions": [{"description": "XML external entities (XXE)", "lang": "en", "type": "text"}]}], "references": [{"url": "http://www.cals-ed.go.jp/checksys-release-20231130/"}, {"url": "https://www.ysk.nilim.go.jp/cals/"}, {"url": "https://jvn.jp/en/jp/JVN77736613/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-01-24T01:32:42.611Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.262Z"}, "title": "CVE Program Container", "references": [{"url": "http://www.cals-ed.go.jp/checksys-release-20231130/", "tags": ["x_transferred"]}, {"url": "https://www.ysk.nilim.go.jp/cals/", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN77736613/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-01-24T14:26:27.308398Z", "id": "CVE-2024-21765", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T19:26:21.223Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.cals-ed.go.jp/checksys-release-20231130/", "tags": ["x_transferred"]}, {"url": "https://www.ysk.nilim.go.jp/cals/", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN77736613/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.262Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-21765", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-24T14:26:27.308398Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T19:25:58.489Z"}}], "cna": {"affected": [{"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Doboku)", "versions": [{"status": "affected", "version": "Ver.18.1.0 and earlier"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Dentsu)", "versions": [{"status": "affected", "version": "Ver.12.1.0 and earlier"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic Delivery Check System (Kikai)", "versions": [{"status": "affected", "version": "Ver.10.1.0 and earlier"}]}, {"vendor": "Ministry of Land, Infrastructure, Transport and Tourism, Japan", "product": "Electronic delivery item Inspection Support System", "versions": [{"status": "affected", "version": "Ver.4.0.31 and earlier"}]}], "references": [{"url": "http://www.cals-ed.go.jp/checksys-release-20231130/"}, {"url": "https://www.ysk.nilim.go.jp/cals/"}, {"url": "https://jvn.jp/en/jp/JVN77736613/"}], "descriptions": [{"lang": "en", "value": "Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "XML external entities (XXE)"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-01-24T01:32:42.611Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21765", "state": "PUBLISHED", "dateUpdated": "2025-06-20T19:26:21.223Z", "dateReserved": "2024-01-12T07:58:24.236Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2024-01-24T01:32:42.611Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:mechanical:*:*:*", "matchCriteriaId": "C64D3573-59E1-4CCD-A761-83D23FD4C2E2", "versionEndExcluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:dentsu:*:*:*", "matchCriteriaId": "FC3FCDF8-7C2E-4302-971B-4717C6026215", "versionEndExcluding": "13.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_check_system:*:*:*:*:doboku:*:*:*", "matchCriteriaId": "E40D18DA-A075-4C2B-8EDA-C2E070F1A46C", "versionEndExcluding": "19.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cals-ed:electronic_delivery_item_inspection_support_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D31CF60-2F4A-4AEA-AA46-F5E54CFF5A50", "versionEndIncluding": "4.0.31", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker."}, {"lang": "es", "value": "Electronic Delivery Check System (Doboku) versi\u00f3n 18.1.0 y anterior,\nElectronic Delivery Check System (Dentsu) versi\u00f3n 12.1.0 y anterior,\nElectronic Delivery Check System (Kikai) versi\u00f3n 10.1.0 y anterior, y\nElectronic delivery item Inspection Support SystemVer.4.0.31 y anteriores,\nrestringen incorrectamente las referencias de entidades externas XML (XXE). Al procesar un archivo XML especialmente manipulado, un atacante puede leer archivos arbitrarios del sistema."}], "id": "CVE-2024-21765", "lastModified": "2025-06-20T20:15:28.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-24T02:15:07.110", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Release Notes"], "url": "http://www.cals-ed.go.jp/checksys-release-20231130/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN77736613/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://www.ysk.nilim.go.jp/cals/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "http://www.cals-ed.go.jp/checksys-release-20231130/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN77736613/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.ysk.nilim.go.jp/cals/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}