Bug 2294737 (CVE-2024-38374) - CVE-2024-38374 cyclonedx-core-java: XML External Entity injection while evaluating XPath expressions
Summary: CVE-2024-38374 cyclonedx-core-java: XML External Entity injection while evalu...
Keywords:
Status: NEW
Alias: CVE-2024-38374
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2294738
TreeView+ depends on / blocked
 
Reported: 2024-06-28 19:13 UTC by Pedro Sampaio
Modified: 2024-07-20 08:28 UTC (History)
54 users (show)

Fixed In Version: cyclonedx-core-java 9.0.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2024-06-28 19:13:45 UTC 
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

References:

https://github.com/CycloneDX/cyclonedx-core-java/pull/434
https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d
https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
Note You need to log in before you can comment on or make changes to this bug.