Lucene search

GitHub_MCVELIST:CVE-2024-34345

HistoryMay 09, 2024 - 2:56 p.m.

CVE-2024-34345 @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

2024-05-0914:56:07

CWE-611

GitHub_M

www.cve.org

cyclonedx

javascript

xml

vulnerability

owasp

6.7.0

6.7.1

fixed

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.

CNA Affected

[
  {
    "vendor": "CycloneDX",
    "product": "cyclonedx-javascript-library",
    "versions": [
      {
        "version": "= 6.7.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203

github.com/CycloneDX/cyclonedx-javascript-library/pull/1063

github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

Related for CVELIST:CVE-2024-34345