CVE-2024-38374
HIGHcyclonedx-core-java 2.1.0-9.0.3 - XML External Entity Injection via XPath Expression Evaluation
Title source: llmDescription
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.
References (3)
Core 3
Core References
Patch x_refsource_misc
https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d
Issue Tracking x_refsource_misc
https://github.com/CycloneDX/cyclonedx-core-java/pull/434
Vendor Advisory x_refsource_confirm
https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
Scores
CVSS v3
7.5
EPSS
0.0059
EPSS Percentile
43.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (2)
CycloneDX/cyclonedx-core-java
>= 2.1.0, < 9.0.4
org.cyclonedx/cyclonedx-core-java
2.1.0 - 9.0.4Maven
Published
Jun 28, 2024
Tracked Since
Feb 18, 2026