The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.
References
Configurations
No configuration.
History
01 Jul 2024, 12:37
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
28 Jun 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-28 18:15
Updated : 2024-07-01 12:37
NVD link : CVE-2024-38374
Mitre link : CVE-2024-38374
CVE.ORG link : CVE-2024-38374
JSON object : View
Products Affected
No product.
CWE
CWE-611
Improper Restriction of XML External Entity Reference