CVE-2024-38374

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-38374
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/CycloneDX/cyclonedx-core-java/pull/434
https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d
https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
Configurations

No configuration.

History

01 Jul 2024, 12:37

Type Values Removed Values Added
Summary
  • (es) El módulo principal de CycloneDX proporciona una representación modelo del SBOM junto con utilidades para ayudar a crear, validar y analizar SBOM. Antes de deserializar la lista de materiales de CycloneDX en formato XML, _cyclonedx-core-java_ aprovecha las expresiones XPath para determinar la versión del esquema de la lista de materiales. El `DocumentBuilderFactory` utilizado para evaluar expresiones XPath no estaba configurado de forma segura, lo que hacía que la biblioteca fuera vulnerable a la inyección de entidad externa XML (XXE). Esta vulnerabilidad se ha solucionado en cyclonedx-core-java versión 9.0.4.

28 Jun 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-28 18:15

Updated : 2024-07-01 12:37

NVD link : CVE-2024-38374

Mitre link : CVE-2024-38374

CVE.ORG link : CVE-2024-38374

JSON object : View

Products Affected

No product.

CWE
CWE-611

Improper Restriction of XML External Entity Reference


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024