Описание
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
An XML External Entity (XXE) injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM (XML) is validated, external XML entities can be processed (XXE), allowing an attacker to cause the application to disclose local files or make requests to internal network resources. This can occur when untrusted BOM XML is parsed or validated by the library.
Отчет
The flaw has been rated High severity, because a remote attacker could craft a malicious CycloneDX SBOM that, when validated by an affected system, may result in disclosure of sensitive information from local files or internal network resources. Exploitation does not require authentication or user interaction, but it depends on the application accepting and processing untrusted CycloneDX XML input, the environments that automatically ingest SBOMs from external or untrusted sources.
Меры по смягчению последствий
Reject or block XML-formatted BOMs from untrusted sources before handing them to the library (e.g., require BOMs to be JSON or only accept BOMs from trusted origins).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | cyclonedx-core-java | Not affected | ||
| Red Hat AMQ Clients | cyclonedx-core-java | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | cyclonedx-core-java | Fix deferred | ||
| Red Hat build of Apache Camel - HawtIO 4 | cyclonedx-core-java | Not affected | ||
| Red Hat build of Apicurio Registry 2 | cyclonedx-core-java | Affected | ||
| Red Hat build of Apicurio Registry 3 | cyclonedx-core-java | Affected | ||
| Red Hat build of Debezium 3 | cyclonedx-core-java | Will not fix | ||
| Red Hat Data Grid 8 | cyclonedx-core-java | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | cyclonedx-core-java | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | cyclonedx-core-java | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
EPSS
7.5 High
CVSS3