Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-38374

Опубликовано: 28 июн. 2024
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

A flaw was found in cyclonedx-core-java. It is vulnerable to XML External Entity (XXE) injection due to an insecure configuration of the DocumentBuilderFactory used to evaluate XPath expressions.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Migration Toolkit for Applications 6cyclonedx-core-javaWill not fix
Migration Toolkit for Runtimescyclonedx-core-javaWill not fix
Red Hat build of Apache Camel for Spring Boot 4cyclonedx-core-javaNot affected
Red Hat build of Quarkuscyclonedx-core-javaNot affected
Red Hat JBoss Enterprise Application Platform 7cyclonedx-core-javaNot affected
Red Hat JBoss Enterprise Application Platform 8cyclonedx-core-javaNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packcyclonedx-core-javaNot affected
streams for Apache Kafkacyclonedx-core-javaNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-611
https://bugzilla.redhat.com/show_bug.cgi?id=2294737cyclonedx-core-java: XML External Entity injection while evaluating XPath expressions

EPSS

Процентиль: 24%
0.00083
Низкий

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-38374

CVSS3: 7.5
nvd
больше 1 года назад

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

github логотип

GHSA-683x-4444-jxh8

CVSS3: 7.5
github
больше 1 года назад

Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java

EPSS

Процентиль: 24%
0.00083
Низкий

7.5 High

CVSS3