CVE-2024-50611
HIGHCycloneDX cdxgen < 11.1.7 - Remote Code Execution via Untrusted Build Files
Title source: llmDescription
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake.
References (3)
Core 3
Core References
Various Sources
https://github.com/CycloneDX/cdxgen/releases
Various Sources
https://owasp.org/www-project-dep-scan/
Issue Tracking
https://github.com/CycloneDX/cdxgen/issues/1328
Scores
CVSS v3
7.2
EPSS
0.0083
EPSS Percentile
52.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
cyclonedx/cdxgen
0 - 11.1.7npm
Published
Oct 27, 2024
Tracked Since
Feb 18, 2026