Lucene search

GitHub_MCVE-2024-34345

HistoryMay 14, 2024 - 3:38 p.m.

CVE-2024-34345

2024-05-1415:38:40

CWE-611

GitHub_M

web.nvd.nist.gov

cyclonedx javascript library

owasp cyclonedx

xml external entity injection

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

0.001

Percentile

18.1%

JSON

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.

Affected configurations

Vulners

Node

cyclonedxcyclonedx_javascript_library

VendorProductVersionCPE
cyclonedxcyclonedx_javascript_library*cpe:2.3:a:cyclonedx:cyclonedx_javascript_library:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cyclonedx	cyclonedx_javascript_library	*	cpe:2.3:a:cyclonedx:cyclonedx_javascript_library::::::::

CNA Affected

[
  {
    "vendor": "CycloneDX",
    "product": "cyclonedx-javascript-library",
    "versions": [
      {
        "version": "= 6.7.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203

github.com/CycloneDX/cyclonedx-javascript-library/pull/1063

github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

0.001

Percentile

18.1%

JSON

Related for CVE-2024-34345