XML External Entity (XXE)

2024-06-2506:38:20

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml external entity (xxe)

cyclonedx

vulnerability

xml format

evaluation

documentbuilderfactory

xpath expressions

bom

deserialization

exfiltrate

local file content

server side request forgery (ssrf)

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

18.3%

JSON

org.cyclonedx:cyclonedx-core-java is vulnerable to XML External Entity (XXE).The vulnerability is caused due to improper configuration of the DocumentBuilderFactory used to evaluate XPath expressions to determine the schema version of the BOM before deserializing CycloneDX Bill of Materials in XML format. This can lead to exfiltrate local file content or perform Server Side Request Forgery (SSRF).