Home > Vulnerability Database > CVE-2024-38374

Mend.io Vulnerability Database

CVE-2024-38374

Good to know:

Date: June 28, 2024

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The "DocumentBuilderFactory" used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

Language: Java

Severity Score

7.5

Related Resources (6)

Url: https://github.com/CycloneDX/cyclonedx-core-java

Url: https://github.com/CycloneDX/cyclonedx-core-java/pull/434

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-38374

Url: https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8

Url: https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d

Url: https://www.mend.io/vulnerability-database/CVE-2024-38374

Severity Score

7.5

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

Top Fix

Upgrade Version

Upgrade to version org.cyclonedx:cyclonedx-core-java:9.0.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-38374

Good to know:

Date: June 28, 2024

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?