Search
Find a vulnerability
Search criteria
2 vulnerabilities found for cyclonedx-javascript-library by CycloneDX
CVE-2024-34345 (GCVE-0-2024-34345)
Vulnerability from nvd – Published: 2024-05-09 14:56 – Updated: 2024-08-02 02:51
VLAI
Title
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
Summary
The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/CycloneDX/cyclonedx-javascript… | x_refsource_CONFIRM |
| https://github.com/CycloneDX/cyclonedx-javascript… | x_refsource_MISC |
| https://github.com/CycloneDX/cyclonedx-javascript… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CycloneDX | cyclonedx-javascript-library |
Affected:
= 6.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34345",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T15:59:54.797606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:18.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:09.775Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cyclonedx-javascript-library",
"vendor": "CycloneDX",
"versions": [
{
"status": "affected",
"version": "= 6.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:56:07.494Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"
}
],
"source": {
"advisory": "GHSA-38gf-rh2w-gmj7",
"discovery": "UNKNOWN"
},
"title": "@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34345",
"datePublished": "2024-05-09T14:56:07.494Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-02T02:51:09.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34345 (GCVE-0-2024-34345)
Vulnerability from cvelistv5 – Published: 2024-05-09 14:56 – Updated: 2024-08-02 02:51
VLAI
Title
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
Summary
The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/CycloneDX/cyclonedx-javascript… | x_refsource_CONFIRM |
| https://github.com/CycloneDX/cyclonedx-javascript… | x_refsource_MISC |
| https://github.com/CycloneDX/cyclonedx-javascript… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CycloneDX | cyclonedx-javascript-library |
Affected:
= 6.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34345",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T15:59:54.797606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:18.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:09.775Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cyclonedx-javascript-library",
"vendor": "CycloneDX",
"versions": [
{
"status": "affected",
"version": "= 6.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:56:07.494Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"
},
{
"name": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"
}
],
"source": {
"advisory": "GHSA-38gf-rh2w-gmj7",
"discovery": "UNKNOWN"
},
"title": "@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34345",
"datePublished": "2024-05-09T14:56:07.494Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2024-08-02T02:51:09.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}