CNNVD-202511-885 Information
CNNVD ID
CNNVD-202511-885
Related CVE
- CNNVD Published: 2025-11-10
Description (Chinese)
CycloneDX Core是CycloneDX BOM Standard开源的一个辅助创建SBOM应用程序的软件。 CycloneDX Core 11.0.1之前版本存在代码问题漏洞,该漏洞源于XML Validator未安全配置,可能导致XML外部实体注入攻击。
Description (English)
CycloneDX Core is a software that supports the creation of SBOM applications from the CycloneDX BOM Standard Open Source. There was a code problem gap in the pre-CycloneDX Core 11.0.1 version, which originated from the lack of secure configuration of XML Validator and could lead to an attack by an outside XML entity.
Hazard Level
Medium
Vulnerability Type
代码问题
Affected Vendor
CycloneDX BOM Standard
Published
2025-11-10
Last Modified
2026-02-24
References
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9 https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314 https://github.com/CycloneDX/cyclonedx-core-java/pull/737 https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r
Patch
https://github.com/CycloneDX/cyclonedx-core-java/releases
Share on: