CVE-2024-34345

2024-05-1415:38:40

CWE-611

[email protected]

web.nvd.nist.gov

cyclonedx javascript library

owasp cyclonedx

xml external entity injection

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.9%

JSON

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.

Affected configurations

Vulners

Node

cyclonedxbill_of_materials_repository_serverMatch6.7.0

VendorProductVersionCPE
cyclonedxbill_of_materials_repository_server6.7.0cpe:2.3:a:cyclonedx:bill_of_materials_repository_server:6.7.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cyclonedx	bill_of_materials_repository_server	6.7.0	cpe:2.3:a:cyclonedx:bill_of_materials_repository_server:6.7.0:::::::*

CNA Affected

[
  {
    "vendor": "CycloneDX",
    "product": "cyclonedx-javascript-library",
    "versions": [
      {
        "version": "= 6.7.0",
        "status": "affected"
      }
    ]
  }
]