82 matches found
CycloneDX Generator 安全漏洞
CycloneDX Generator cdxgen is a CLI tool, library, REPL and server for CycloneDX open source. It is used to create valid and compatible CycloneDX bill of materials. A security vulnerability exists in CycloneDX Generator version 10.10.7 and prior versions, which stems from the possibility of...
CVE-2024-50611
CycloneDX cdxgen up to version 10.10.7 may execute code contained in build-related files (e.g., build.gradle.kts) when run against untrusted codebases. This is described as a design limitation rather than an implementation bug, with a similar issue to CVE-2022-24441. Affected software: CycloneDX ...
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
PT-2024-34357 · Node.Js +3 · Node.Js +3
Name of the Vulnerable Software and Affected Versions: CycloneDX cdxgen versions prior to 11.1.7 Description: The issue allows execution of code contained within build-related files, such as build.gradle.kts, when run against an untrusted codebase. This is similar to a previously identified issue...
Moderate: Red Hat Security Advisory: Red Hat Trusted Profile Analyzer 1.1.2
Red Hat Trusted Profile Analyzer 1.1.2 release Red Hat Product Security has rated this update as having a security impact of Moderate Red Hat Trusted Profile Analyzer 1.1.2 Security Fixes: nodejs-async: Regular expression denial of service while parsing function in autoinject CVE-2024-39249 For...
CVE-2024-38374
A flaw was found in cyclonedx-core-java. It is vulnerable to XML External Entity XXE injection due to an insecure configuration of the DocumentBuilderFactory used to evaluate XPath expressions...
CVE-2024-38374
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the...
CVE-2024-38374
CVE-2024-38374 affects CycloneDX core (cyclonedx-core-java): before deserializing XML BOMs, an insecurely configured DocumentBuilderFactory used in XPath evaluation allowed XXE injection. The issue was fixed in cyclonedx-core-java 9.0.4; later notes indicate the XML Validator path was also affect...
CVE-2024-38374 Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the...
CVE-2024-38374 Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the...
CVE-2024-38374 Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the...
CycloneDX Security Vulnerability
CycloneDX is a full-stack bill of materials BOM standard open-sourced by CycloneDX. A security vulnerability exists in CycloneDX that stems from vulnerability to XML External Entity XXE injection attacks...
XML External Entity (XXE)
org.cyclonedx:cyclonedx-core-java is vulnerable to XML External Entity XXE.The vulnerability is caused due to improper configuration of the DocumentBuilderFactory used to evaluate XPath expressions to determine the schema version of the BOM before deserializing CycloneDX Bill of Materials in XML...
Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java
Impact Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML Extern...
GHSA-683X-4444-JXH8 Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java
Impact Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML Extern...
CVE-2024-38374
creationtimestamp| type| source ---|---|--- 2024-06-24 09:20:38+00:00| published-proof-of-concept| https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8...
PT-2024-27967
Name of the Vulnerable Software and Affected Versions cyclonedx-core-java versions prior to 9.0.4 Description The CycloneDX core module provides a model representation of SBOMs and utilities for creating, validating, and parsing them. Before deserializing CycloneDX Bill of Materials in XML format...
SBOM support in Spring Boot 3.3
Spring Boot 3.3.0 has been released, and it contains support for SBOMs. SBOM stands for "Software Bill of Materials" and describes the components used to build a software artifact. In the context of this blog post, that's your Spring Boot application. These SBOMs are useful because they describe...
CVE-2024-34345
The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...