high
7.5
CWE
611 918
Advisory Published
CVE Published
Updated

CVE-2024-38374: Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java

First published: Mon Jun 24 2024(Updated: )

### Impact Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. XXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application. ### PoC ```java import org.cyclonedx.parsers.XmlParser; class Poc { public static void main(String[] args) { // Will throw org.cyclonedx.exception.ParseException: java.net.ConnectException: Connection refused new XmlParser().parse(""" <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE bom [<!ENTITY % sp SYSTEM "https://localhost:1010/does-not-exist/file.dtd"> %sp;]> <bom xmlns="http://cyclonedx.org/schema/bom/1.5"/> """.getBytes()); } } ``` ### Patches The vulnerability has been fixed in _cyclonedx-core-java_ version 0.9.4. ### Workarounds If feasible, applications can reject XML documents before handing them to _cyclonedx-core-java_ for parsing. This may be an option if incoming CycloneDX BOMs are known to be in JSON format. ### References * Issue was fixed via <https://github.com/CycloneDX/cyclonedx-core-java/pull/434> * Issue was introduced via <https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9> * <https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing> * <https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xpathexpression>

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.cyclonedx:cyclonedx-core-java>=2.1.0<9.0.4
9.0.4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-38374?

    CVE-2024-38374 is considered a medium severity vulnerability due to the potential for XML external entity (XXE) injection.

  • How do I fix CVE-2024-38374?

    To fix CVE-2024-38374, upgrade the org.cyclonedx:cyclonedx-core-java library to version 9.0.4 or later.

  • Which versions of cyclonedx-core-java are affected by CVE-2024-38374?

    CVE-2024-38374 affects org.cyclonedx:cyclonedx-core-java versions from 2.1.0 up to but not including 9.0.4.

  • What impact does CVE-2024-38374 have on security?

    The impact of CVE-2024-38374 allows attackers to exploit insecure XML parsing, potentially leading to unauthorized access to sensitive data.

  • Who is impacted by CVE-2024-38374?

    Developers and organizations using affected versions of org.cyclonedx:cyclonedx-core-java for processing CycloneDX Bills of Materials are impacted by CVE-2024-38374.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203