CVE-2024-38374: Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java

June 24, 2024

Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.

XXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application.

References

github.com/CycloneDX/cyclonedx-core-java
github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8
github.com/advisories/GHSA-683x-4444-jxh8
nvd.nist.gov/vuln/detail/CVE-2024-38374

Detect and mitigate CVE-2024-38374 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →