7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.0005 Low
EPSS
Percentile
18.3%
org.cyclonedx:cyclonedx-core-java is vulnerable to XML External Entity (XXE).The vulnerability is caused due to improper configuration of the DocumentBuilderFactory
used to evaluate XPath expressions to determine the schema version of the BOM before deserializing CycloneDX Bill of Materials in XML format. This can lead to exfiltrate local file content or perform Server Side Request Forgery (SSRF).