CVE-2024-38374

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-38374

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38374.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-38374

Aliases

GHSA-683x-4444-jxh8

Related

Published

2024-06-28T18:01:51Z

Modified

2025-10-30T20:27:20.256277Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java

Details

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.

Database specific

{
    "cwe_ids": [
        "CWE-611"
    ]
}

References

Affected packages

Git / github.com/cyclonedx/cyclonedx-core-java

Affected ranges

Type

GIT

Repo

https://github.com/cyclonedx/cyclonedx-core-java

Events

Introduced

b4da34451bbda7c0b08e48b8e4f8d709b5f9dd39

Fixed

d94df352b18c3dac83415ac9e964a4addb7595ac

Database specific

{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "9.0.4"
        }
    ]
}

Affected versions

cyclonedx-core-java-2.*

cyclonedx-core-java-2.1.0

cyclonedx-core-java-2.1.1

cyclonedx-core-java-2.5.0

cyclonedx-core-java-2.5.1

cyclonedx-core-java-2.6.0

cyclonedx-core-java-2.6.1

cyclonedx-core-java-2.6.2

cyclonedx-core-java-2.6.3

cyclonedx-core-java-2.6.4

cyclonedx-core-java-2.6.5

cyclonedx-core-java-2.7.0

cyclonedx-core-java-3.*

cyclonedx-core-java-3.0.0

cyclonedx-core-java-3.0.1

cyclonedx-core-java-3.0.2

cyclonedx-core-java-3.0.3

cyclonedx-core-java-3.0.4

cyclonedx-core-java-3.0.5

cyclonedx-core-java-3.0.6

cyclonedx-core-java-3.0.7

cyclonedx-core-java-3.0.8

cyclonedx-core-java-4.*

cyclonedx-core-java-4.0.0

cyclonedx-core-java-4.0.1

cyclonedx-core-java-4.0.2

cyclonedx-core-java-4.0.3

cyclonedx-core-java-4.1.0

cyclonedx-core-java-4.1.1

cyclonedx-core-java-4.1.2

cyclonedx-core-java-5.*

cyclonedx-core-java-5.0.0

cyclonedx-core-java-5.0.1

cyclonedx-core-java-5.0.2

cyclonedx-core-java-5.0.3

cyclonedx-core-java-5.0.4

cyclonedx-core-java-5.0.5

cyclonedx-core-java-6.*

cyclonedx-core-java-6.0.0

cyclonedx-core-java-7.*

cyclonedx-core-java-7.0.0

cyclonedx-core-java-7.1.0

cyclonedx-core-java-7.1.1

cyclonedx-core-java-7.1.2

cyclonedx-core-java-7.1.3

cyclonedx-core-java-7.1.4

cyclonedx-core-java-7.1.5

cyclonedx-core-java-7.1.6

cyclonedx-core-java-7.2.0

cyclonedx-core-java-7.2.1

cyclonedx-core-java-7.3.0

cyclonedx-core-java-7.3.1

cyclonedx-core-java-7.3.2

cyclonedx-core-java-8.*

cyclonedx-core-java-8.0.0

cyclonedx-core-java-8.0.1

cyclonedx-core-java-8.0.2

cyclonedx-core-java-8.0.3

cyclonedx-core-java-9.*

cyclonedx-core-java-9.0.0

cyclonedx-core-java-9.0.1

cyclonedx-core-java-9.0.2

cyclonedx-core-java-9.0.3