CVE-2024-38374 Information
Description
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating validating and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.
Reference
https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8 https://github.com/CycloneDX/cyclonedx-core-java/pull/434 https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d
Share on: