Lucene search

Veracode Vulnerability DatabaseVERACODE:46827

HistoryMay 09, 2024 - 10:18 a.m.

XML External Entity (XXE) Injection

2024-05-0910:18:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml external entity injection

vulnerability

xml parsing configuration

xmlvalidator.node.ts

sensitive files

malicious code

crafted xml entities

security issue

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

@cyclonedx/cyclonedx-library is vulnerable to XML External Entity (XXE) Injection. The vulnerability is due to improper XML parsing configuration within xmlValidator.node.ts, allowing an attacker to potentially access sensitive files or execute malicious code through crafted XML entities.

CPENameOperatorVersion
@cyclonedx/cyclonedx-libraryeq6.7.0
@cyclonedx/cyclonedx-libraryeq6.7.0

CPE	Name	Operator	Version
	@cyclonedx/cyclonedx-library	eq	6.7.0
	@cyclonedx/cyclonedx-library	eq	6.7.0

References

github.com/advisories/GHSA-38gf-rh2w-gmj7

github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203

github.com/CycloneDX/cyclonedx-javascript-library/pull/1063

github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

Related for VERACODE:46827